b'                        OFFICE OF\n                 THE INSPECTOR GENERAL\n                       U.S. NUCLEAR\n                 REGULATORY COMMISSION\n\n\n                      Independent Evaluation of NRC\xe2\x80\x99s\n                        Implementation of the Federal\n                      Information Security Management\n                       Act (FISMA) for Fiscal Year 2004\n\n                     OIG\xe2\x80\x9304-A-22 September 30, 2004\n\n\n\n\n              EVALUATION REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                         September 30, 2004\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum/RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   INDEPENDENT EVALUATION OF NRC\xe2\x80\x99S\n                           IMPLEMENTATION OF THE FEDERAL\n                           INFORMATION SECURITY MANAGEMENT ACT\n                           (FISMA) FOR FISCAL YEAR 2004 (OIG-04-A-22)\n\n\nThis evaluation report titled, Independent Evaluation of NRC\xe2\x80\x99s Implementation of\nthe Federal Information Security Management Act for Fiscal Year 2004.\nAppendix B contains the OIG 2004 Federal Information Security Management\nAct Report template to the Office of Management and Budget. This report\nreflects the results of the independent evaluation performed by Richard S.\nCarson & Associates, Inc. on behalf of the NRC Office of the Inspector General.\n\nBased on its review, Richard S. Carson & Associates, Inc., determined that the\nNRC\xe2\x80\x99s information security program has the following weaknesses:\n\n   \xc3\x98 NRC Management Directive 12.5, NRC Automated Information Security\n     Program, contains sensitive information that is publicly available.\n   \xc3\x98 Several required security documents need updating.\n   \xc3\x98 Some security processes need further improvement.\nThe weaknesses identified are not significant deficiencies or reportable\nconditions. During an exit conference on September 22, 2004, NRC officials\nprovided comments concerning the draft audit report and opted not to submit\nformal written comments to this report.\n\nIf you have any questions or wish to discuss this report, please call me at 415-\n5915 or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution List\n\nB. John Garrick, Chairman, Advisory Committee on Nuclear Waste\nMario V. Bonaca, Chairman, Advisory Committee on Reactor Safeguards\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nDennis K. Rathbun, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nPatricia G. Norry, Deputy Executive Director for Management Services, OEDO\nWilliam F. Kane, Deputy Executive Director for Homeland Protection\n  and Preparedness, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research\n  and State Programs, OEDO\nEllis W. Merschoff, Deputy Executive Director for Reactor Programs, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nJacqueline E. Silber, Chief Information Officer\nMichael L. Springer, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nPaul E. Bird, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\nOffice of Public Affairs, Region I\nOffice of Public Affairs, Region II\nOffice of Public Affairs, Region IV\n\x0c                         \xe2\x80\x9cIndependent Evaluation of\n                        NRC\xe2\x80\x99s Implementation of the\n               Federal Information Security Management Act\n                            For Fiscal Year 2004\xe2\x80\x9d\n\n\n\n\n                          Contract Number: GS-00F-0001N\n                        Delivery Order Number: DR-36-03-346\n\n                                              September 24, 2004\n\n\n\n\n\xe2\x80\x9cThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official U.S. Nuclear\n              Regulatory Commission position, policy, or decision, unless so designated by other official documentation.\xe2\x80\x9d\n\x0c[Page intentionally left blank]\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      Richard S. Carson & Associates, Inc., on behalf of the Office of the Inspector General of\n      the U.S. Nuclear Regulatory Commission (NRC), completed this Independent Evaluation\n      Report, and the NRC 2004 Office of Management and Budget (OMB) Federal\n      Information Security Management Act (FISMA) Report, which is included as Appendix\n      B. The Independent Evaluation Report identifies specific findings and recommendations\n      for resolution of identified weaknesses.\n\nPURPOSE\n\n      The objectives of the independent evaluation of NRC\xe2\x80\x99s information security program\n      were to:\n\n          1. Test the effectiveness of information security policies, procedures, and practices\n             of a representative subset of the agency\xe2\x80\x99s information systems; and\n          2. Assess compliance with the Federal Information Security Management Act and\n             related information security policies, procedures, standards, and guidelines.\n\nRESULTS IN BRIEF\n\n      Over the past year, NRC continued to improve its security program. For example, NRC:\n\n          \xe2\x80\xa2   Completed a majority of program and system level corrective actions identified in\n              the FY 2003 FISMA review, including additional corrective actions identified\n              throughout FY 2004 (approximately 83%).\n          \xe2\x80\xa2   Completed a risk assessment, security plan, business continuity plan, and certified\n              and accredited one of the new major applications under development.\n          \xe2\x80\xa2   Completed annual business continuity plan testing for sixteen of the seventeen\n              major applications and general support systems at NRC.\n          \xe2\x80\xa2   Developed a process for updating the NRC system inventory on a semi-annual\n              basis.\n          \xe2\x80\xa2   Developed procedures for implementing security configurations on NRC servers.\n\n      However, the independent evaluation identified the following information security\n      program weaknesses. None of these weaknesses are considered to be significant\n      deficiencies or reportable conditions as defined in OMB guidance.\n\n          \xe2\x80\xa2   NRC Management Directive 12.5, NRC Automated Information Security\n              Program, contains sensitive information, but it was publicly available.\n\n\n\n                                               i\n\x0c                                                                          Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n        \xe2\x80\xa2   Agreements with the two Federal agencies providing services to NRC need\n            updating.\n        \xe2\x80\xa2   Four system certifications and accreditations need updating.\n        \xe2\x80\xa2   One risk assessment needs updating.\n        \xe2\x80\xa2   One system business continuity plan needs updating.\n        \xe2\x80\xa2   NRC\xe2\x80\x99s corrective action tracking process needs further improvement.\n        \xe2\x80\xa2   The agency\xe2\x80\x99s plan of action and milestones needs improvement.\n        \xe2\x80\xa2   The agency\xe2\x80\x99s certification and accreditation process needs improvement.\n            Specifically, the agency needs to develop processes for (1) ensuring security\n            documentation supporting system certification and accreditation is consistent with\n            National Institute of Standards and Technology guidelines, (2) ensuring security\n            protection requirements (confidentiality, integrity, availability) are consistently\n            defined in security plans and self-assessments, and (3) ensuring security test and\n            evaluation in support of certification and accreditation is comprehensive and\n            independent.\n\nRECOMMENDATIONS\n\n     This report makes sixteen recommendations to the Executive Director for Operations. A\n     consolidated list of recommendations can be found on page 31 of this report.\n\nAGENCY COMMENTS\n\n     On September 22, 2004, the Executive Director for Operations provided comments\n     concerning the draft Independent Evaluation Report and NRC 2004 OMB FISMA\n     Report. We modified the reports as we determined appropriate in response to these\n     comments.\n\n\n\n\n                                             ii\n\x0c                                                                          Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nADAMS     Agencywide Document Access and Management System\nBCP       Business Continuity Plan\nC&A       Certification and Accreditation\nCFR       Code of Federal Regulations\nCIO       Chief Information Officer\nDDMS      Digital Data Management System\nDOI       Department of the Interior\nFFS       Federal Financial System\nFISMA     Federal Information Security Management Act\nFPPS      Federal Personnel and Payroll System\nFY        Fiscal Year\nIPSS      Integrated Personnel Security System\nISSO      Information System Security Officer\nIT        Information Technology\nITSSTS    Information Technology Systems Security Tracking System\nLAN/WAN   Local Area Network/Wide Area Network\nMD        Management Directive\nNBC       National Business Center\nNIH       National Institutes of Health\nNIST      National Institute of Standards and Technology\nNRC       U.S. Nuclear Regulatory Commission\nOCIO      Office of the Chief Information Officer\nOIG       Office of the Inspector General\nOMB       Office of Management and Budget\nPOA&M     Plan of Action and Milestones\nSITSO     Senior Information Technology Security Officer\nSP        Special Publication\nUS-CERT   United States Computer Emergency Readiness Team\n\n\n\n\n                                            iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                                   Independent Evaluation of\n                                                                                    NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose..................................................................................................................... 1\n\n3 Findings .................................................................................................................... 2\n    3.1     System Inventory and Information Technology Security Performance...........................3\n            3.1.1 NRC Programs and Systems ................................................................................3\n            3.1.2 Contractor Operations or Facilities ....................................................................5\n            3.1.3 Certification and Accreditation............................................................................8\n            3.1.4 Security Control Costs and Information Technology Investments.....................10\n            3.1.5 Security Control Test and Evaluation ................................................................12\n            3.1.6 Contingency Planning and Testing ....................................................................12\n            3.1.7 System Inventory ................................................................................................13\n            3.1.8 E-Authentication.................................................................................................14\n            3.1.9 Senior Agency Information Security Officer ......................................................14\n    3.2     Assessment of the POA&M Process ..............................................................................15\n    3.3     Assessment of the Certification and Accreditation Process...........................................19\n    3.4     Security Configurations and Patching............................................................................25\n    3.5     Incident Detection and Handling Procedures, and Incident Reporting and Analysis ....27\n    3.6     Security Awareness and Training...................................................................................29\n4 Consolidated List of Recommendations.............................................................. 31\n\n5 OIG Response to Agency Comments................................................................... 32\n\n\nAppendices\n\n       Appendix A:           Scope and Methodology ............................................................................33\n       Appendix B:           NRC 2004 OMB FISMA Report ...............................................................35\n\n\n\n\n                                                                 v\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                     Independent Evaluation of\n                                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n1       Background\n\nRichard S. Carson & Associates, Inc. (Carson Associates), on behalf of the Office of the\nInspector General (OIG) of the U.S. Nuclear Regulatory Commission (NRC), completed this\nIndependent Evaluation Report, and the NRC 2004 Office of Management and Budget (OMB)\nFederal Information Security Management Act (FISMA) Report, which is included as Appendix\nB. The Independent Evaluation Report identifies specific findings and recommendations for\nresolution of identified weaknesses.\n\nOn December 17, 2002, the President signed the E-Government Act of 2002 (Public Law 107-\n347), which includes the Federal Information Security Management Act of 20021. FISMA\noutlines the information security management requirements for agencies, which include an\nannual review by the agency, an independent evaluation of an agency\xe2\x80\x99s information security\nprogram and practices by the agency\xe2\x80\x99s inspectors general, and an evaluation of the effectiveness\nof information security control techniques. FISMA also requires an assessment of compliance\nwith requirements and related information security policies, procedures, standards, and\nguidelines. The annual agency reviews and the OIG independent evaluations are intended to\nprovide agencies with the information needed to determine the effectiveness of overall security\nprograms and to develop strategies and best practices for improving information security.\n\nThe independent evaluation comprises four elements \xe2\x80\x94 evaluation of the implementation of\nNRC\xe2\x80\x99s information security program, evaluation of progress towards completing corrective\nactions addressed within the FY 2003 Plan of Action and Milestones (POA&M), review of the\nsystem self-assessments prepared by NRC, and verification and testing of information security\ncontrols for six representative information systems. Four of the systems are NRC systems, and\ntwo of the systems are systems used by NRC, but owned by another Federal agency. The results\nof the independent evaluation are presented in this Independent Evaluation Report, which\npresents recommendations to address the weaknesses identified during the evaluation.\n\n2       Purpose\n\nThe objectives of the independent evaluation of NRC\xe2\x80\x99s information security program were to:\n\n    1. Test the effectiveness of information security policies, procedures, and practices of a\n       representative subset of the agency\xe2\x80\x99s information systems; and\n    2. Assess compliance with FISMA and related information security policies, procedures,\n       standards, and guidelines.\n\n\n\n\n1\n The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\nGovernment Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\nwhich expired in November 2002.\n\n\n                                                      1\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n3        Findings\n\nOver the past year, NRC continued to improve its security program. For example, NRC:\n\n    \xe2\x80\xa2    Completed a majority of program and system level corrective actions identified in the FY\n         2003 FISMA review, including additional corrective actions identified throughout FY\n         2004 (approximately 83%).\n    \xe2\x80\xa2    Completed a risk assessment, security plan, business continuity plan, and certified and\n         accredited one of the new major applications under development.\n    \xe2\x80\xa2    Completed annual business continuity plan testing for sixteen of the seventeen major\n         applications and general support systems at NRC.\n    \xe2\x80\xa2    Developed a process for updating the NRC system inventory on a semi-annual basis.\n    \xe2\x80\xa2    Developed procedures for implementing security configurations on NRC servers.\n\nHowever, the independent evaluation identified the following information security program\nweaknesses. None of these weaknesses are considered to be significant deficiencies2 or\nreportable conditions3 as defined in OMB guidance.\n\n    \xe2\x80\xa2    NRC Management Directive 12.5, NRC Automated Information Security Program,\n         contains sensitive information, but it was publicly available.\n    \xe2\x80\xa2    Agreements with the two Federal agencies providing services to NRC need updating.\n    \xe2\x80\xa2    Four system certifications and accreditations need updating.\n    \xe2\x80\xa2    One risk assessment needs updating.\n    \xe2\x80\xa2    One system business continuity plan needs updating.\n    \xe2\x80\xa2    NRC\xe2\x80\x99s corrective action tracking process needs further improvement.\n    \xe2\x80\xa2    The agency\xe2\x80\x99s POA&M needs improvement.\n    \xe2\x80\xa2    The agency\xe2\x80\x99s certification and accreditation process needs improvement. Specifically,\n         the agency needs to develop processes for (1) ensuring security documentation\n         supporting system certification and accreditation is consistent with National Institute of\n         Standards and Technology (NIST) guidelines, (2) ensuring security protection\n         requirements (confidentiality, integrity, availability) are consistently defined in security\n         plans and self-assessments, and (3) ensuring security test and evaluation in support of\n         certification and accreditation is comprehensive and independent.\n\n\n\n2\n  A significant deficiency is a weakness in an agency\xe2\x80\x99s overall information systems security program or\nmanagement control structure, or within one or more information systems, that significantly restricts the capability\nof the agency to carry out its mission or compromises the security of its information, information systems,\npersonnel, or other resources, operations, or assets.\n3\n  A reportable condition exists when a security or management control weakness does not rise to level of a\nsignificant deficiency, yet is still important enough to be reported to internal management and/or external agencies.\n\n\n                                                           2\n\x0c                                                                                 Independent Evaluation of\n                                                                  NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nThe following sections present the detailed findings from the independent evaluation. The\nformat of the following sections is based on the sections of the NRC 2004 OMB FISMA Report,\nwhich can be found in Appendix B.\n\n3.1       System Inventory and Information Technology Security Performance\n\nNRC 2004 OMB FISMA Report Section A\n\n3.1.1 NRC Programs and Systems\n\nNRC 2004 OMB FISMA Report A.1.a, A.1.b, A.3.f\n\nNRC Programs\n\nCarson Associates reviewed NRC\xe2\x80\x99s one program. NRC Management Directive (MD) 12.5, NRC\nAutomated Information Security Program, defines NRC\xe2\x80\x99s automated information systems\nsecurity program. MD 12.5 was updated in September 2003 to include the following updates:\n\n      \xe2\x80\xa2   New security policies and procedures developed since MD 12.5 was last updated were\n          incorporated. These policies include, but are not limited to Guidelines for the Use of\n          Password Checking Software, Incident Response Procedures, Operating and System\n          Software Maintenance Procedures, and NRC\xe2\x80\x99s Firewall Policy.\n      \xe2\x80\xa2   The system identification diagram that was used to categorize NRC information systems\n          was removed and replaced with a full description of each system category (major\n          application, general support system, listed, and other). MD 12.5 also includes a new\n          table, \xe2\x80\x9cSecurity Planning and Reporting Requirements by System Type.\xe2\x80\x9d\n      \xe2\x80\xa2   Additional text was added to clarify who is responsible for developing and maintaining\n          the system inventory. It states that Regional Administrators and Office Directors are to\n          provide input into the system inventory, and the system sponsors/owners are responsible\n          for ensuring that all office-sponsored systems are properly categorized and accurately\n          reflected in the master inventory of systems maintained by the Office of the Chief\n          Information Officer (OCIO). Each office will work with OCIO to update and revalidate\n          the master inventory of systems on an annual basis.\n\nThe various policies included in MD 12.5 can be found on the NRC Customer Service Branch\nwebsite, and the on-line versions are up-to-date. OCIO also provides supplemental information\nsecurity guidance on the NRC internal web site, including:\n\n      \xe2\x80\xa2   NRC Password and Warning Banner Guidance\n      \xe2\x80\xa2   Guidelines for Modem Usage\n      \xe2\x80\xa2   Processing and Handling Safeguards Information in the NRC Unclassified Local\n          Area/Wide Area Network Environment\n      \xe2\x80\xa2   Templates for risk assessments, security plans, and security test and evaluation plans.\n\n\n\n                                                   3\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nMD 12.5 Contains Sensitive Information, But It Was Publicly Available\n\nDuring the FY 2004 FISMA review, Carson Associates discovered that MD 12.5 was available\non the NRC public web site. In the past, this directive was only available on the NRC internal\nweb site. According to NRC policy and regulations, the NRC Management Directive System has\nalways been available to the public either on CD-ROM, or in the Commission\xe2\x80\x99s Public\nDocument Room. However, publication of the Management Directives on the NRC public web\nsite provides a much larger population, both in the United States and internationally, access to\nthe documents.\n\nMD 12.5 contains sensitive information that should not be disclosed to the public. For example,\nMD 12.5 includes the NRC firewall policy, with a note that the current firewall policy can be\nfound on the NRC internal web site. However, the agency has determined that this policy is too\nsensitive to be posted even on the NRC internal web site, and it can only be obtained by\nrequesting it from OCIO.\n\nNRC has removed MD 12.5 from the NRC public web site and from the Agencywide Document\nAccess and Management System (ADAMS). However, Carson Associates found at least one\ndocument in ADAMS with MD 12.5 attached, and the public can still access MD 12.5 in the\nNRC Public Document Room.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Remove sensitive data from Management Directive 12.5, NRC Automated Information\n      Security Program, which should not be disclosed to the public.\n\nNRC Systems\n\nNRC has a total of seventeen production systems \xe2\x80\x93 thirteen are major applications and four are\ngeneral support systems. NRC also has two systems currently in development. Carson\nAssociates reviewed four of the seventeen production systems. The system evaluation objectives\nwere to review and evaluate the security controls for the systems. The systems were evaluated\nby reviewing system documentation maintained by OCIO. As recommended by OMB, Carson\nAssociates reviewed the following types of documents for adherence to standards and\nconsistency with guidelines issued by NIST.\n\n   \xe2\x80\xa2   Risk Assessment\n   \xe2\x80\xa2   Security Plan\n   \xe2\x80\xa2   Business Continuity Plan\n   \xe2\x80\xa2   Security Test and Evaluation Plan and Report\n   \xe2\x80\xa2   Certification and Accreditation Report\n   \xe2\x80\xa2   Privacy Impact Assessment\n   \xe2\x80\xa2   Draft FY 2004 Self-Assessment\n\n\n\n                                               4\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nThe documents were reviewed to determine whether they are consistent with NIST guidance and\nwhether they describe the security controls in place for the systems. Carson Associates found\nthat in some cases (1) security documentation is not consistent with NIST guidelines, (2) security\nprotection requirements are inconsistent within system security documentation, and (3) findings\nand recommendations resulting from testing system security controls are not consistently being\ntracked. Separate system evaluation reports were prepared and delivered to the agency. The\noverall findings from the system evaluations are discussed further in Section 3.2, Assessment of\nthe POA&M Process, and Section 3.3, Assessment of the Certification and Accreditation\nProcess.\n\n3.1.2 Contractor Operations or Facilities\n\nNRC 2004 OMB FISMA Report A.1.c, A.3.a, A.3.b, A.3.c, A.3.f\n\nNRC uses NIST Special Publication (SP) 800-26, Self-Assessment Guide for Information\nTechnology Systems, for reviewing their own programs and systems. However, NRC primarily\nuses methods other than NIST SP 800-26 for reviewing contractor operations and facilities.\nNRC has a total of seven contractor operations or facilities, and Carson Associates reviewed\nthree of them. NRC presumes that the two agencies supporting NRC are also following FISMA\nand NIST guidelines (these agencies have not allowed NRC to conduct their own review).\nCarson Associates verified that there are agreements in place with the two Federal agencies\nproviding services to NRC. Carson Associates also reviewed a recent security review for one\ncontractor facility.\n\nFor two contractors who provide support to NRC, and one contractor who maintains one of\nNRC\xe2\x80\x99s major applications, management officials stated that these contractors, who have access\nto NRC information technology (IT) resources, must have security guidelines written into their\ncontracts, must follow NRC security procedures, and new contracts must specify use of NIST\nguidance for security. Carson Associates could not determine how NRC ensures operations or\nfacilities at one location are adequately secure and meet Federal policy and guidelines.\n\nCarson Associates also met with OCIO staff to discuss any other methods NRC uses to ensure\ncontractor operations or facilities are adequately secure and meet the requirements of FISMA,\nOMB policy and NIST guidelines, national security policy, and agency policy. OCIO staff\nstated that for two of the contractors, they are treated just like one of the NRC\xe2\x80\x99s regional offices\n\xe2\x80\x93 they are considered trusted foreign networks. There is security language in the contracts\ncurrently in place with the two contractors, and NRC has day-to-day relationships with both\ncompanies.\n\nAgreements with the Two Federal Agencies Providing Services to NRC Need Updating\n\nCarson Associates reviewed services provided to NRC by the Department of the Interior (DOI),\nand the National Institutes of Health (NIH). NRC uses two systems hosted and supported by\nDOI \xe2\x80\x93 the Federal Financial System (FFS) and the Federal Personnel and Payroll System\n(FPPS). NIH provides NRC with Internet connectivity, and two applications that are part of the\nFee Systems are housed on a mainframe located at NIH. The objective of the reviews was to\ndetermine whether the services and facilities provided by DOI and NIH are adequately secure\n\n\n                                                  5\n\x0c                                                                                      Independent Evaluation of\n                                                                       NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nand meet the requirements of FISMA, OMB policy and NIST guidelines, national security\npolicy, and agency policy.\n\nDepartment of the Interior\n\nFor FFS and FPPS, Carson Associates attempted to get up-to-date security documentation for the\ntwo systems in order to review the security controls in place for the systems. For most of the\nmonth of July 2004, Carson Associates was in contact with several DOI staff members in both\nthe National Business Center4 (NBC) and the DOI OIG. Carson Associates was in possession of\nsome documents for both systems, but needed to know if the documents were up-to-date, and\nneeded other documents necessary to conduct a system review. Most of the documents were\nfrom an interim accreditation that was granted in FY 2003. Both systems were fully accredited\nin FY 2004, so the intent was to obtain the documentation supporting the full accreditation.\n\nCarson Associates and the NRC OIG had a conference call with the DOI OIG to discuss a\ncurrent FISMA study being conducted by the DOI OIG on their information systems, including\nFFS and FPPS. They described what they were doing for the study and discussed some of the\nissues that had been found so far. They decided to do the study because of the large number of\nrequests from agencies using NBC services for information on their security controls and\npractices. They will do this review every year, and for future years the reports are planned to be\nready by the end of July (so agencies can use them for their FISMA reviews).\n\nThe DOI review found that NBC\xe2\x80\x99s information security management program and practices met\nFISMA requirements with a few minor exceptions. The DOI Evaluation Report, \xe2\x80\x9cReview of\nInformation System Security over Systems and Applications Used by the National Business\nCenter to Provide Services to Non-Department of the Interior Clients,\xe2\x80\x9d stated that overall\nagreements between NBC and their clients are supposed to include three separate agreements.\n\n    \xe2\x80\xa2   Service Level Agreements \xe2\x80\x93 defines specific tasks to be performed and roles and\n        responsibilities of the respective parties.\n    \xe2\x80\xa2   Security Service Agreements \xe2\x80\x93 defines security roles and responsibilities of the\n        respective parties.\n    \xe2\x80\xa2   Interconnect Security Agreements \xe2\x80\x93 defines the roles and responsibilities for client\n        network management in connecting to NBC systems and applications.\n\nThe DOI OIG review found that of the fifteen agreements reviewed, only one had a Security\nService Agreement, and none had Interconnect Security Agreements. Carson Associates was\nprovided a Security Services Agreement between NBC and NRC. Carson Associates was not\nprovided with a Service Level Agreement or an Interconnect Security Agreement between NBC\nand NRC.\n\n\n\n4\n The DOI National Business Center serves as the systems manager and general purpose computing host for systems\nsupporting budget, procurement and contracts, personnel management, financial and accounting, E-government, and\nother general administrative systems.\n\n\n                                                       6\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nThe DOI report also stated that to ensure that risks are understood and security protections are\nestablished to reduce the risks to acceptable levels, DOI believes that an exchange of system\nsecurity plans between NBC and its clients should be accomplished. This exchange will provide\neach party the necessary information to understand the level of importance each party assigns to\nthe sensitivity and criticality of the systems and information as well as describing the respective\ncontrol environments. Through these exchanges NBC will have a better understanding of the\nrisks to its systems and external clients\xe2\x80\x99 requirements to ensure that appropriate protections are\nimplemented.\n\nThe Security Services Agreement between NBC and the NRC does state that the NBC will\nprovide copies of certification and accreditation documents to clients on request, however, it\ndoes not specifically mention security plans as a type of document that NBC will provide.\nCarson Associates also found a few places in the Security Services Agreement where\ninformation is not accurate or up-to-date. A link to an NBC web page on page three does not\nwork, and the NRC contact information on page ten needs to be updated.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   2. Update the Security Services Agreement between the Department of the Interior National\n      Business Center and NRC to include a requirement to exchange relevant system security\n      plans.\n\n   3. Develop a Service Level Agreement and Interconnect Security Agreement between the\n      Department of the Interior National Business Center and NRC as described in the DOI\n      Evaluation Report, \xe2\x80\x9cReview of Information System Security over Systems and\n      Applications Used by the National Business Center to Provide Services to Non-\n      Department of the Interior Clients.\xe2\x80\x9d\n\nNational Institutes of Health\n\nTwo of the Fee Systems applications reside on a mainframe housed in the NIH Data Center.\nCarson Associates reviewed certification and accreditation documentation for the NIH Data\nCenter as part of the overall system review of the Fee Systems. The documentation was\nreviewed in order to determine whether agency program officials and the agency Chief\nInformation Officer (CIO) have used appropriate methods to ensure that services provided by\nNIH for their program and systems are adequately secure and meet the requirements of FISMA,\nOMB policy and NIST guidelines, national security policy, and agency policy. NIH also\nprovides NRC with Internet connectivity.\n\nNRC developed a Memorandum of Understanding between NRC and NIH, dated January 2003.\nIt is a one page document describing the services NIH provides to NRC and states that all parties\nagree to ensure compliance with applicable Federal and respective agency automated\ninformation systems security policies, mandates and instructions that will ensure the continued\nconfidentiality, integrity, and availability of information being processed by or through this\n\n\n\n                                                 7\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nsystem. The Memorandum of Understanding is to be reviewed annually and will remain in\neffect until terminated in writing.\n\nNIH and NRC also developed a Joint Network Interconnection Security Agreement, dated\nDecember 2003. This is a more comprehensive agreement between the two agencies and\noutlines system security considerations for both agencies. The document includes sections\ndescribing the purpose, authority, and interconnection statement of requirements. The document\nalso includes a section describing system security considerations, including services offered, data\nsensitivity, user community, information exchange security, communication/IT security points of\ncontact, responsible parties, trusted behavior expectations, formal security policy, and incident\nreporting. The document outlines NIH and NRC responsibilities regarding physical security,\nidentification and authentication, anti-virus software, system configuration, warning banners,\nremote access, wireless security, and encryption. It concludes with a discussion of network\nmanagement, compliance, and confidentiality.\n\nThe Network Interconnection Security Agreement states that a Service Level Agreement signed\nby NIH and NRC governs certain services provided by NIH for a fee. NRC provided a copy of a\nService Level Agreement between NIH and NRC that was signed by NRC at the end of March\n2003, and by NIH at the beginning of April 2003. The agreement became effective April 1,\n2003, and remained in effect until September 30, 2003. The agreement describes the services\nprovided by NIH to NRC, including network support and maintenance services. The agreement\ndiscusses services not supported, customer responsibilities, and costs to NRC. Appendices to the\nagreement include an NRC contact list, billing information, escalation procedures, and NRC\npoints of contact for problem resolution. The agency provided a copy of a draft of the agreement\nthat would replace the agreement that expires September 30, 2003, but was not able to provide a\nfinal, signed agreement.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   4. Update the Service Level Agreement between NRC and the National Institutes of Health.\n\n3.1.3 Certification and Accreditation\n\nNRC 2004 OMB FISMA Report A.2.a\n\nFourteen of the seventeen systems have full accreditation, and three have interim accreditations.\nThe interim accreditation for one system expired in July 2004. One system was granted an\nextension to the interim accreditation and it will expire at the end of September 2004. Full\naccreditation of these two systems was scheduled for 4th Quarter FY 2004, and there are\nPOA&M items for tracking the accreditations, however the accreditations have not been\ncompleted as of September 15, 2004. Full accreditation for the third system with interim\naccreditation is scheduled for the 1st Quarter FY 2005.\n\n\n\n\n                                                 8\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nFour Certification and Accreditations are Not Up-To-Date\n\nNIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information\nSystems, states that security certification directly supports security accreditation by providing\nauthorizing officials with important information necessary to make credible, risk-based decisions\non whether to place information systems into operation or continue their current operation. This\ninformation is produced by assessing the security controls in the information system to determine\nthe extent to which the controls are implemented correctly, operating as intended, and producing\nthe desired outcome with respect to meeting the security requirements for the system.\n\nWhile none of the seventeen systems have signed certification and accreditation (C&A)\nmemoranda that are more than three years old, five of the seventeen systems have C&A reports\nthat are more than three years old. The C&A reports are the documents that provided the\nauthorizing officials with the information necessary to accredit the systems. Accreditation\nmemoranda for the five systems with outdated C&A reports were not signed until almost a year\n(or more) had past since the C&A testing was conducted. Re- accreditation of one of the five\nsystems with an outdated C&A report was scheduled for 4th Quarter FY 2004, and there is a\nPOA&M item for tracking the re-accreditation, however the re-accreditation had not been\ncompleted as of September 15, 2004. Re-accreditation of the remaining four systems is\nscheduled for FY 2005.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   5. Re-certify and re-accredit the NRC Data Center/Telecommunications System.\n\n   6. Re-certify and re-accredit the NRC Local Area Network/Wide Area Network.\n\n   7. Re-certify and re-accredit the Emergency Response Data System.\n\n   8. Re-certify and re-accredit the Emergency Telecommunications System.\n\nOne Risk Assessment is Not Up-To-Date\n\nAll seventeen systems have risk assessments. Five of the systems\xe2\x80\x99 risk assessments should have\nbeen updated this fiscal year, as they were more than three years old. Four of the outdated risk\nassessments were updated in FY 2004, and the review team verified and validated the updates.\nThe risk assessment for the NRC local area network/wide area network (LAN/WAN) has not\nbeen updated since February 2001. However, separate updates to the risk assessment were\ndeveloped as LAN/WAN subsystems were certified and accredited. One of the systems in\ndevelopment, the Digital Data Management System (DDMS), also has a risk assessment.\n\n\n\n\n                                                9\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   9. Update the NRC Local Area Network/Wide Area Network Risk Assessment.\n\nAll Security Plans are Up-To-Date\n\nSixteen of the seventeen systems have security plans. The security plan for the seventeenth\nsystem is scheduled for completion by the end of September 2004. Four of the systems\xe2\x80\x99 security\nplans should have been updated this fiscal year, as they were more than three years old. All four\nof the outdated security plans were updated in FY 2004, and the review team verified and\nvalidated the updates. One of the systems in development, DDMS, also has a security plan.\n\nMD 12.5 also requires security plans for \xe2\x80\x9clisted\xe2\x80\x9d systems, and systems that process classified and\nunclassified safeguards information. A \xe2\x80\x9clisted\xe2\x80\x9d system is a computerized information system or\napplication that processes sensitive information requiring additional security protections, and that\nmay be important to the operations of an NRC office or region, but is not a major application\nwhen viewed from an agency perspective. For example, some NRC offices have developed a\nnumber of additional non-major applications that are processing sensitive information such as\nPrivacy Act information, or sensitive contractual and financial information.\n\nAs a result of a POA&M item from the agency\xe2\x80\x99s own FY 2003 FISMA review, the agency\nissued a memorandum in February 2004 instructing Office Directors and Regional\nAdministrators to ensure that information systems sponsored by their office that process or store\nclassified information, safeguards information, or sensitive information have individual security\nplans. The memorandum included instructions for preparing the security plans, as well as a\ntemplate, as attachments. Carson Associates obtained a report from the agency\xe2\x80\x99s internal\ntracking system, the Information Technology Systems Security Tracking System (ITSSTS), of\nall \xe2\x80\x9clisted\xe2\x80\x9d systems at NRC and the status of their security plans. Carson Associates selected\nseventeen \xe2\x80\x9clisted\xe2\x80\x9d systems to check for the existence of security plans. Security plans for\nthirteen of the seventeen systems were located in files maintained by OCIO. Security plans for\nfour of the systems were not on file with OCIO. Security plans for these systems have either\nbeen requested, or sent back for revisions, and their current status is reflected in the ITSSTS\nreport.\n\n3.1.4 Security Control Costs and Information Technology Investments\n\nNRC 2004 OMB FISMA Report A.2.b, A.3.g\n\nNRC has developed several policies and procedures to ensure that security control costs are\nintegrated into the life cycle of NRC systems. These include MD 12.5, MD 2.2, Capital\nPlanning and Investment Control, and MD 2.5, System Development Life Cycle Management\nMethodology.\n\nThe Exhibit 53 submitted to OMB in 2004 for budget year 2005 reflects that IT security costs are\nincluded in the investments for all NRC major applications and general support systems with the\n\n\n                                                 10\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nexception of two systems. The agency stated that these two systems had less than one half of\none percent in security costs; therefore per OMB guidance they were rounded to zero. All\nsystem levels POA&Ms submitted by the agency at the end of the 4th Quarter FY 2004 have\nunique project identifiers that match those used on the Exhibit 53, and include total security costs\nfor completing the corrective actions.\n\nA major IT investment (Tier 1) meets or exceeds a control phase cost threshold of $1,500,000 (or\n$500,000 for financial management systems), or has other characteristics that are of particular\ninterest to NRC management or to the OMB. A Tier 2 investment is one that meets or exceeds a\ncontrol phase cost threshold of $500,000 (but below the Tier 1 $1,500,000 threshold), or requires\nsome level of management control and oversight to effectively deal with special security,\narchitecture, coordination, staffing, or other concerns presented by these investments. A Tier 3\ninvestment is one that does not exceed a control phase cost threshold of $500,000 and has no\nother special characteristics that would classify it as Tier 1 or Tier 2.\n\nOffice Directors and Regional Administrators must submit information on office or regional IT\ninvestments, needs, and plans to the CIO in accordance with NRC\xe2\x80\x99s capital planning and\ninvestment control process, or as requested, to support agencywide IT planning, budgeting, or\ninvestment control.\n\nThe CIO is responsible for the following related to approval of major IT investments:\n\n   \xe2\x80\xa2   Reviewing and approving security certifications and accreditations for NRC information\n       systems, including risk analysis results, security plans, contingency plans, and security-\n       related elements of investment justifications submitted in accordance with NRC capital\n       planning and investment control.\n   \xe2\x80\xa2   Developing and implementing agencywide IT planning, budgeting, and investment\n       control policies, processes, and procedures that support NRC\xe2\x80\x99s mission and meet the\n       requirements of Federal statutes and regulations and are consistent with NRC\xe2\x80\x99s overall\n       planning, budgeting, and performance management process.\n   \xe2\x80\xa2   Reviewing and approving business cases for all IT investments during the selection\n       phase, and for referring Tier 1 IT investments to the Executive Director for Operations\n       for review and approval.\n   \xe2\x80\xa2   Ensuring that proposed new IT investments are not duplicative of other planned or\n       ongoing projects or application systems, unless they are intended to replace those projects\n       or systems.\n   \xe2\x80\xa2   Determining which IT investments should be recommended to the Executive Director for\n       Operations as major investments reportable to OMB.\n\n\n\n\n                                                 11\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n3.1.5 Security Control Test and Evaluation\n\nNRC 2004 OMB FISMA Report A.2.c\n\nFISMA requires agencies to test the management, operational, and technical controls of every\ninformation system identified in their inventory no less than annually. OMB has instructed\nagencies to use NIST SP 800-26 to conduct the annual reviews. NIST SP 800-26 is based on the\nChief Information Officer Council\xe2\x80\x99s \xe2\x80\x9cFederal Information Technology Security Assessment\nFramework\xe2\x80\x9d (the Framework). The Framework comprises five levels to guide agency\nassessments of their security programs and assist in prioritizing efforts for improvement. Level 1\nreflects that an asset has documented security policy. At Level 2, the asset also has documented\nprocedures and controls to implement the policy. For Level 3, procedures and controls have\nbeen implemented to protect the asset. Level 4 indicates that procedures and controls are tested\nand reviewed. Finally, at Level 5, the asset has procedures and controls fully integrated into a\ncomprehensive program.\n\nNRC performs a review of security practices and security controls for each major application and\ngeneral support system by performing annual self-assessments on the systems. The self-\nassessments are based on NIST SP 800-26. Carson Associates received draft self-assessments\nfor all seventeen NRC major applications and general support systems, as well as for one of the\nsystems currently in development. The final self-assessments were received on September 15,\n2004.\n\nAs in previous years, NRC developed a modified version of NIST SP 800-26, and all elements of\nNIST SP 800-26 were included. Some of the self-assessment questions were re-worded to be\nclearer and to make them more applicable to NRC\xe2\x80\x99s environment, and a few additional questions\nwere added.\n\n3.1.6 Contingency Planning and Testing\n\nNRC 2004 OMB FISMA Report A.2.d, A.2.e\n\nOne Contingency Plan Is Not Up-To-Date\n\nSixteen of the seventeen systems have business continuity plans (BCPs), also referred to as\ncontingency plans. Four of the systems\xe2\x80\x99 BCPs should have been updated this fiscal year, as they\nwere more than three years old. Three of the outdated BCPs were updated in FY 2004, and the\nreview team verified and validated the updates. The BCP for the LAN/WAN has not been\nupdated since July 2001. However, separate updates to the BCP were developed as LAN/WAN\nsubsystems were certified and accredited. One of the systems in development, DDMS, also has a\ncontingency plan.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   10. Update the NRC Local Area Network/Wide Area Network Business Continuity Plan.\n\n\n                                                12\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n\n\nAll Contingency Plans Have Been Tested\n\nAll sixteen BCPs have been tested in the past fiscal year (one system does not have a BCP). One\nBCP was tested in the 4th Quarter FY 2003, two were tested in the 2nd Quarter FY 2004, eight\nwere tested in the 3rd Quarter FY 2004, and five were tested in the 4th Quarter FY 2004. The\nreview team verified and validated the majority of the BCP test results, and will verify and\nvalidate all of the BCP test results during ongoing POA&M validation.\n\nCritical Infrastructure Protection\n\nNRC\xe2\x80\x99s Critical Infrastructure Protection Plan has been updated in accordance with OMB\nMemorandum M-04-15, Development of Homeland Security Presidential Directive \xe2\x80\x93 7 Critical\nInfrastructure Protection Plans to Protect Federal Critical Infrastructures and Key Resources.\nIt includes a review of the agency\xe2\x80\x99s operations, functions, and services. The review concluded\nthat NRC has no national critical operations and services.\n\n3.1.7 System Inventory\n\nNRC 2004 OMB FISMA Report A.3.d, A.3.e\n\nMD 12.5 was updated in September 2003, and additional text was added to clarify who is\nresponsible for developing and maintaining the system inventory. The CIO is responsible for\ndeveloping and maintaining an annual inventory of NRC automated information systems\n(including major national security systems) operated by or under the control of the agency. The\nidentification of all major information systems in the inventory must include an identification of\nthe interfaces between each system and all other systems and networks, including those not\noperated by or under the control of the agency. Regional Administrators and Office Directors\nmust ensure that information systems sponsored by their office are included in the master\ninventory maintained by OCIO. System sponsors/owners must ensure that all office-sponsored\nIT systems are properly categorized and accurately reflected in the master inventory of systems\nmaintained by OCIO. Each office will work with OCIO to update and revalidate the master\ninventory of systems on an annual basis.\n\nFour categories of systems are to be included on the master inventory: major applications,\ngeneral support systems, listed systems, and other systems. \xe2\x80\x9cListed\xe2\x80\x9d systems were described\nearlier in Section 3.1.3, Certification and Accreditation. MD 12.5 defines \xe2\x80\x9cOther\xe2\x80\x9d as a system\nthat does not require additional security protections, and the information being processed by the\nsystem is adequately protected by the security provided by the NRC LAN/WAN. This\ncategorization assumes that OCIO and the sponsor have first jointly decided that the application\nis appropriately called a system and is to be included in the NRC master inventory of systems.\nSystems in the \xe2\x80\x9cOther\xe2\x80\x9d category are typically collections of computer-based activities that while\nfocused on a particular mission function or objective do not have the structure, size, data\nsensitivity, or the mission importance to warrant additional special management attention or\nadditional security controls.\n\n\n\n\n                                                13\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nAs a result of a POA&M item from the FY 2003 FISMA review, the agency issued a\nmemorandum in November 2003 asking NRC offices to provide input to OCIO for updating the\nagency\xe2\x80\x99s list of systems. The request was combined with a request from the Office of the Chief\nFinancial Officer for an update of the cost for internal use software. The two requests were\ncombined in order to minimize the impact on NRC offices. The memorandum states that in the\nfuture, OCIO and the Office of the Chief Financial Officer will be issuing two calls per year to\nupdate/validate the data. The memorandum included as an attachment a list of systems for each\noffice. Offices were requested to review and update the information as necessary, and provide\ninputs by December 15, 2003. The next request was sent in August 2004.\n\nNRC uses the Information Technology Systems Security Tracking System (ITSSTS) to maintain\ntheir system inventory. Their inventory includes not only major applications and general support\nsystems, but also listed and other systems. Carson Associates also reviewed a system inventory\nreport from ITSSTS (by office by system) dated August 4, 2004, and it includes a total of five\ngeneral support systems, fourteen major applications, 153 listed systems, and 273 other systems.\n\nAs a result of a POA&M item from the FY 2003 FISMA review, the agency also began\nmaintaining a list of interfaces for some of their systems. This list is maintained by a contractor\nsupporting OCIO and is not a part of ITSSTS.\n\nThe OIG is not involved in the development of the agency\xe2\x80\x99s major IT system inventory.\nHowever, the OIG is involved in verification of the inventory as a part of the annual FISMA\nreview of the agency\xe2\x80\x99s information security program.\n\n3.1.8 E-Authentication\n\nNRC 2004 OMB FISMA Report A.3.h\n\nIn accordance with OMB Memorandum M-04-04, E-Authentication Guidance for Federal\nAgencies, NRC has begun assessing systems for e-authentication risk. A contract was awarded\nin the 3rd Quarter FY 2004 and NRC is on track to meet the December 15, 2004, deadline for\nclassifying all major applications.\n\n3.1.9 Senior Agency Information Security Officer\n\nNRC 2004 OMB FISMA Report A.3.i\n\nFISMA requires the CIO of each Federal agency to designate a senior agency information\nsecurity officer who shall carry out the CIO\xe2\x80\x99s responsibilities described in FISMA; possess\nprofessional qualifications, including training and experience, required to administer the\nfunctions described in FISMA; have information security duties as that official\xe2\x80\x99s primary duty;\nand head an office with the mission and resources to assist in ensuring agency compliance with\nFISMA.\n\nFor the past two years, OMB has asked agencies to report whether they have appointed a senior\ninformation security officer who reports to the agency CIO, even though FISMA does not\nspecifically state that the official should report to the CIO.\n\n\n                                                 14\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n\n\nNRC\xe2\x80\x99s Senior Information Technology Security Officer (SITSO) left the agency in late 2003 and\nas of December 12, 2003, the Director of the Program Management, Policy Development, and\nAnalysis Staff within OCIO is currently serving as acting SITSO. The agency is in the process\nof looking for someone to fill the position and anticipates hiring a new SITSO by the end of\nOctober 2004.\n\nThe former SITSO did not report directly to the CIO, and the new SITSO, once hired, will also\nnot report directly to the CIO. The SITSO will report to the Director of the Program\nManagement, Policy Development, and Analysis Staff within OCIO on day-to-day matters, and\nwill have direct access to the CIO on any computer security issues.\n\n3.2    Assessment of the POA&M Process\n\nNRC 2004 OMB FISMA Report Section C.1\n\nNRC has two primary tools for tracking the progress of corrective actions related to correcting\nweaknesses identified during the annual agency security review, the OIG independent\nevaluation, various security documents, and other security studies conducted by or on behalf of\nthe agency. At a high level, NRC uses the POA&M submitted to OMB to track corrective\nactions from the OIG annual independent evaluation, and the agency\xe2\x80\x99s annual review. The\nPOA&M may also include corrective actions resulting from other security studies conducted by\nor on behalf of NRC.\n\nAt a more detailed, level, NRC uses the NRC ITSSTS to track the progress of internal corrective\nactions (i.e., those not reported to OMB). ITSSTS is used to track more specific corrective\nactions, such as those resulting from risk assessments, security test and evaluation associated\nwith the certification and accreditation process, and contingency plan testing.\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program found that\nthe agency\xe2\x80\x99s corrective action tracking process needed improvement and that not all corrective\nactions resulting from security reviews and testing were being tracked. The OIG recommended\nthat the agency identify all weaknesses and recommendations from security documentation and\nany other security reviews, and determine in which tool the recommendations will be tracked. In\nNovember 2003, OCIO issued a memorandum describing the agency\xe2\x80\x99s information technology\nsecurity action item tracking process, strategy, and tools. The memorandum describes the types\nof activities that might identify security weaknesses in NRC information technology systems and\ndescribes the two tools used by NRC for tracking the process of security corrective actions \xe2\x80\x93 the\nFISMA POA&M and ITSSTS. The memorandum also states that NRC updates the status of all\naction items in the POA&M and the ITSSTS database at least quarterly, and more frequently as\nsystem testing and other security activities are completed.\n\nNRC had made significant progress in correcting weaknesses identified during the FY 2003\nFISMA review. However, the corrective action tracking process needs further improvement, as\nfindings and recommendations resulting from security reviews and testing are not consistently\nbeing tracked. Carson Associates also found that the agency\xe2\x80\x99s POA&M needs improvement.\n\n\n\n                                               15\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nNRC Has Made Significant Progress in Correcting FY 2003 Weaknesses\n\nThe 4th Quarter FY 2003 POA&M submitted to OMB in October 2003 included a few POA&M\nitems carried over from the previous POA&M, plus the new weaknesses identified during the FY\n2003 FISMA review. NRC reported a total of 10 program level POA&M items to OMB, and 59\nsystem level items for which corrective action is ongoing.\n\nDuring FY 2004, NRC added 2 more program level items, and 12 more system level items, for a\ntotal of 12 program level items and 71 system level items. During FY 2004, NRC reported as\ncompleted a total of 10 program level items, and 59 system level items. There are 2 program\nlevel and 12 system level items remaining on the POA&M for which corrective action is\nongoing. NRC has completed approximately 83% of the POA&M items on the FY 2004\nPOA&M submitted to OMB.\n\nCarson Associates, as part of the FY 2004 FISMA review, has been validating closure of\nprogram and system level POA&M items as the agency has submitted their quarterly updates.\nCarson Associates verified and validated closure of all POA&M items reported closed during the\n4th Quarter FY 2003, and the 1st Quarter FY 2004. Carson Associates is in the process of\nvalidating closure of items reported during the remaining three quarters of FY 2004. Based on\nthe preliminary analysis of documentation supporting closure of these items, Carson Associates\nwill also verify and validate their closure.\n\nThe Corrective Action Tracking Process Needs Further Improvement\n\nDuring the system evaluations, Carson Associates found that findings and recommendations\nresulting from testing security controls are not consistently being tracked. The following are\nsome examples.\n\nCertification and Accreditation Testing\n\nThe risk assessment for one system identified thirteen risks, and the security test and evaluation\nplan and report identified eight risks. A mitigation plan submitted with the certification and\naccreditation package for the system combined the risks identified during the risk assessment and\nsecurity test and evaluation into one list. Carson Associates could not account for four of the\nrisks from the mitigation plan in the current instance of ITSSTS. According to the agency, these\nfour risks were tracked and completed in 2002. At the exit conference held to discuss the\nfindings of the system evaluation, the agency provided documentation supporting their statement\nthat the risks were tracked and completed in 2002 (output from a previous instance of ITSSTS),\nbut only for three of the four risks that could not be accounted for in the current instance of\nITSSTS. The agency could not determine why the three risks were not in the current instance of\nITSSTS and could not determine why the fourth risk could not be found in any instance of\nITSSTS.\n\nThe risk assessment for another system identified eight risks. The security test and evaluation\nreport for the system also identified eight risks, however they were not the same eight risks\nidentified in the risk assessment. The two new risks identified during the security test and\nevaluation are not being tracked in ITSSTS. Subsequent to the exit conference held to discuss\n\n\n                                                16\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nthe findings of the system evaluation, the agency provided a report from ITSSTS that included\nthe two missing risks.\n\nThe risk assessment for a third system identified nine risks. Subsequent documentation for the\nsystem stated that three risks are acceptable, and provided a detailed discussion of corrective\nactions necessary to mitigate the remaining risks. A project plan proposed a total of sixteen tasks\nto address the remaining risks, with two tasks stated as recently completed. The project plan also\nincluded a detailed discussion of the remaining tasks, and included a timeline for completing the\noutstanding tasks. The ITSSTS is reporting three of the remaining risks (also referred to as\nweaknesses) as \xe2\x80\x9cCompleted,\xe2\x80\x9d when the project plan indicates that the tasks required to address\nthe three weaknesses have not been completed. The ITSSTS is also reporting three weaknesses\nas \xe2\x80\x9cScheduled.\xe2\x80\x9d However, ITSSTS is not tracking the individual tasks required to address the\nweaknesses. In some instances, more than one task was suggested to close the weakness. By\nincluding only the weakness in ITSSTS and not the individual tasks required to address the\nweakness, the agency is not able to track completion of the individual tasks proposed in the\nproject plan.\n\nBusiness Continuity Plan Testing\n\nA memorandum summarizing testing of one system\xe2\x80\x99s disaster recovery process resulted in five\naction items, however none of them are being tracked in ITSSTS or in the agency\xe2\x80\x99s POA&M\nsubmitted to OMB.\n\nThe testing of another system\xe2\x80\x99s business continuity plan identified four shortcomings, and\nresulted in three recommendations. The agency is tracking the four shortcomings in ITSSTS, but\nis tracking the three recommendations in the POA&M submitted to OMB. The three\nrecommendations do not completely correlate to the four shortcomings, so the agency is tracking\ndifferent things in their tracking systems. Tracking shortcomings (i.e., weaknesses) in one\nsystem and recommendations in another could result in weaknesses not being addressed or\noverlooked, or in recommendations not being corrected on time.\n\nOther reports\n\nThe OIG issued two reports in FY 2004 that included recommendations specific to two NRC\nsystems. One report, \xe2\x80\x9cReview of NRC\xe2\x80\x99s Personnel Security Program,\xe2\x80\x9d included three\nrecommendations specific to the Integrated Personnel Security System (IPSS). These\nrecommendations were:\n\n   \xe2\x80\xa2   Issue specific data entry guidance to Division of Facilities and Security staff responsible\n       for entering data into IPSS.\n   \xe2\x80\xa2   Formalize the ongoing IPSS data cleanup effort by documenting this effort. This\n       documentation should include a discussion of resources assigned to the effort and a\n       timeline for completion.\n   \xe2\x80\xa2   Establish and implement a procedure to validate data accuracy at least annually.\n\n\n\n\n                                                17\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nNone of these recommendations are being tracked in either of the agency\xe2\x80\x99s tracking tools.\nSubsequent to completion of fieldwork, the agency entered the three recommendations into\nITSSTS.\n\nThe second report, \xe2\x80\x9cAudit of the Licensing Support Network,\xe2\x80\x9d included two recommendations:\n\n   \xe2\x80\xa2   Establish written agreements with each interconnected party detailing minimum security\n       responsibilities for their interconnected system.\n   \xe2\x80\xa2   Update the security plan to include information required by OMB Circular No. A-130.\n\nOnly the second recommendation, update the security plan, is being tracked in ITSSTS and the\nagency\xe2\x80\x99s POA&M submitted to OMB. Subsequent to completion of fieldwork, the agency\nentered the two recommendations into ITSSTS, and OCIO notified the OIG that the corrective\nactions have been completed. However, the recommendations have not been closed by the OIG.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   11. Refine the procedures for identifying weaknesses to be tracked in the Information\n       Technology Systems Security Tracking System.\n\nThe Agency\xe2\x80\x99s POA&M Needs Improvement\n\nThere were a few minor problems with the 4th Quarter FY 2003 and 1st Quarter FY 2004\nquarterly updates and POA&M submitted to OMB. In both of these quarterly updates, the\nmetrics reported to OMB did not reflect the contents of the corresponding POA&M.\nRepresentatives from OCIO could not account for the discrepancies in the metrics and the\ncontents of the POA&M, as the metrics were calculated and submitted by the previous Senior\nInformation Technology Security Officer. The discrepancies in the metrics were not serious\nenough to report as a weakness in the FY 2004 FISMA Independent Evaluation.\n\nProgram level weaknesses corrected between submission of the 3rd Quarter FY 2003 POA&M\nand the 4th Quarter FY 2003 POA&M were not included in the 4th Quarter FY 2003 POA&M.\nThe omission of weaknesses corrected between the two POA&M submissions made it difficult\nfor the review team to identify weaknesses corrected during the time between June 30, 2003, and\nOctober 1, 2003. The difficulty was compounded by inconsistencies in the metrics submitted\nwith the 4th Quarter FY 2003 POA&M. The FY 2004 FISMA guidance states that weaknesses\nthat are no longer undergoing correction and have been completely mitigated for over a year\nshould no longer be reported in the agency POA&M. FISMA guidance also states that the\nPOA&M should include the date of completion in the Status column. The NRC POA&M does\nnot include completion dates in the Status column, making it difficult to identifying weaknesses\nthat have been completely mitigated for over a year.\n\nThere was also a very minor issue with the 2nd Quarter FY 2004 POA&M. Text in column 5\n(Milestones with Completion Dates) was changed for every item in the POA&M. No milestone\n\n\n                                               18\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\ndates were changed, only the text describing the milestones. Additional text was added to some\nmilestones. While the milestone dates were not changed per OMB guidance, the change to the\ntext describing the milestones made it difficult to verify there were no changes to the milestones.\nBecause of the changes to the text, every milestone had to be carefully reviewed to make sure no\ndates had been changed. In addition, the wording of the milestones from an action (e.g., Issue\nrevised guidance), to a statement (e.g., Revised guidance issued) almost implies that those\nactivities actually occurred on the dates listed with them.\n\nRECOMMENDATIONS\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      12. Report corrected weaknesses on the POA&M for a year after their completion.\n\n      13. Include a completion date in the Status column of the POA&M.\n\n3.3       Assessment of the Certification and Accreditation Process\n\nNRC 2004 OMB FISMA Report Section C.2\n\nMD 12.5 assigns the CIO responsibility for reviewing and approving security certifications and\naccreditations for NRC information systems, including risk analysis results, security plans, and\ncontingency plans. Regional Administrators and Office Directors are responsible for ensuring\nthe preparation and periodic updates of required system security documentation are completed in\norder to facilitate the design, implementation, operation and maintenance, testing, and security\ncertification and accreditation of information systems for which their office is the system\nsponsor.\n\nPart 4 of the MD 12.5 Handbook describes the certification and accreditation process used at\nNRC. According to MD 12.5, FISMA directs NIST to prescribe standards and guidelines that\nprovide minimum information security requirements and improve the security of Federal\ninformation and information systems, and these standards and guidelines are mandatory. NIST\nhas developed several guidelines and standards, including those for conducting risk assessments,\ndeveloping security plans, and contingency plans. MD 12.5 states that NRC shall comply with\nNIST guidance to include guidance related to the preparation of security documentation (such as\nsystem security plans, risk assessments, and contingency plans), and other applicable NIST\nguidance for information technology security processes, procedures, and testing. OMB guidance\nstates that reviews and evaluations of agency IT security programs and systems should consider\nadherence to standards and consistency with NIST guidance.\n\nNRC requires the certification and accreditation of all major applications and general support\nsystems, and the C&A package must include the following documentation:\n\n      \xe2\x80\xa2   Risk Assessment Report\n      \xe2\x80\xa2   System Security Plan\n      \xe2\x80\xa2   Security Test and Evaluation Plan and Report\n\n\n\n                                                 19\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n    \xe2\x80\xa2    Contingency Plan and Contingency Plan Test Report\n    \xe2\x80\xa2    Information System Security Officer Appointment Letter\n    \xe2\x80\xa2    Certification Report With Certification Signature\n    \xe2\x80\xa2    Accreditation Signature\n\nMD 12.5 also describes the certification and accreditation requirements for \xe2\x80\x9clisted\xe2\x80\x9d and \xe2\x80\x9cother\xe2\x80\x9d\nsystems on the NRC inventory.\n\nCarson Associates reviewed the certification and accreditation packages for four systems as part\nof the system evaluations conducted for the FY 2004 FISMA review. Carson Associates found\nthat all systems followed the NRC certification and accreditation process, and the certification\nand accreditation packages contained all of the required documentation. However, in some cases\nthe documentation was not consistent with NIST guidelines. Carson Associates also found that\nin some cases, security protection requirements were inconsistent within security documentation.\nSecurity test and evaluation conducted on one system as part of the certification and\naccreditation of the system was not comprehensive and was not performed by an independent\nparty.\n\nSeparate system evaluation reports were prepared and delivered to the agency and include\nrecommendations specific to each system. The following findings are for the certification and\naccreditation process itself and are not specific to any one system.\n\nSecurity Documentation Is Not Always Consistent With NIST Guidelines\n\nRisk Assessments\n\nOne risk assessment did not describe the threat-sources5 and vulnerabilities6 identified for the\nsystem, and did not describe how risk levels were determined. NIST SP 800-30, Risk\nManagement Guide, describes risk as \xe2\x80\x9ca function of the likelihood of a given threat-source\xe2\x80\x99s\nexercising a particular potential vulnerability, and the resulting impact of that adverse event on\nthe organization.\xe2\x80\x9d The risk assessment presented a table summarizing the findings and\nrecommendations, where the second column of the table represented threats. However, the risk\nassessment did not include a list of potential threat-sources that could exploit system\nvulnerabilities, did not include a list of potential vulnerabilities applicable to the system, and did\nnot discuss the threat-source/vulnerability pairs that identified the threats listed in the summary\ntable.\n\nNIST SP 800-30 describes risk level as a function of the likelihood of a given threat-source\xe2\x80\x99s\nattempting to exercise a given vulnerability (i.e., the likelihood of the threat), the magnitude of\nthe impact should a threat-source successfully exercise the vulnerability (i.e., the impact of the\n\n5\n  A threat-source is either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a\nsituation and method that may accidentally trigger a vulnerability.\n6\n  The potential for a particular threat-source exercise (accidentally trigger or intentionally exploit) a particular\nvulnerability is also known as a threat. A vulnerability is a flaw or weakness in system security procedures, design,\nimplementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and\nresult in a security breach or a violation of the system\xe2\x80\x99s security policy.\n\n\n                                                          20\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nthreat), and the adequacy of planned or existing security controls for reducing or eliminating risk.\nTo measure risk, a risk scale and risk-level matrix must be developed. The table in the risk\nassessment discussed in the previous paragraph only presented the risk levels, and did not\nidentify or describe how these risk levels were determined. The risk assessment identified\nseveral threats with a \xe2\x80\x9cMedium\xe2\x80\x9d risk level, but did not describe whether these were threats with\nhigh impact or a high likelihood. The controls recommended to mitigate the risk could vary\ngreatly depending on which factor (likelihood or impact) contributed the most to the risk level.\nUnderstanding likelihood and impact is also important in prioritizing the implementation of\nrecommended corrective actions.\n\nThe risk assessment for another system also had several problems. There were errors in the risk\nlevels in some of the tables of the report. In some cases, a risk level was incorrectly calculated,\nand in others, the risk level changed from table to table. The final table in the report was missing\nan entry that was included in all of the previous tables. The risk assessment only recommended\nsecurity controls that could mitigate or eliminate the identified high and medium level risks, but\ngave no rationale for excluding recommendations for addressing the low level risks. The risk\nassessment should provide recommendations for all risks, or a rationale for providing only\nrecommended controls for high and medium level risks.\n\nThe recommended controls in the risk assessment were very high level and did not include\nspecific corrective actions to address the identified vulnerabilities. NIST SP 800-30\nrecommends using vulnerability sources, system security testing, and a security requirements\nchecklist for identifying system vulnerabilities. The methodology needed to identify\nvulnerabilities varies, depending on the system\xe2\x80\x99s phase in the life cycle. The system was in the\nimplementation phase when the risk assessment was conducted. NIST SP 800-30 states that\nidentification of vulnerabilities for systems in this phase should include more specific\ninformation, such as the planned security features described in the security design documentation\nand the results of system certification test and evaluation. Questionnaires and interviews with\npersonnel responsible for the system were used to identify technical and non-technical\nvulnerabilities, resulting in identification of generic technical and non-technical risk controls.\nThe risk assessment stated that more implementation specific recommendations would be offered\nas part of the security plan. However, the security plan contains no recommendations related to\nthe identified risks.\n\nSecurity Plans\n\nNIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems,\nstates that the purpose of a security plan is to provide an overview of the security requirements of\nthe system and describe controls in place or planned for meeting those requirements. NIST SP\n800-18 also states that the security plan should fully identify and describe the controls currently\nin place, or planned for the system.\n\nIn order to identify what controls were currently in place for the systems, Carson Associates\nreviewed and analyzed two other documents in conjunction with the security plans \xe2\x80\x93 the self-\nassessments, and results from security test and evaluation of system controls conducted during\nthe certification and accreditation of the systems. Carson Associates reviewed the FY 2003 self-\n\n\n\n                                                 21\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nassessments in order to identify controls in place for the systems. Any controls marked at least at\na Level 3 in the self-assessment are considered to be in place based on the definitions in Section\n3.1.5, Security Control Test and Evaluation. The FY 2003 self-assessments were reviewed as\nthe agency had only provided drafts of the FY 2004 self-assessments when the fieldwork was\nconducted.\n\nCarson Associates also reviewed the results of the security test and evaluation of system controls\nconducted during the certification and accreditation of the systems. Security certification is a\ncomprehensive assessment of the management, operational, and technical security controls in an\ninformation system, made in support of security accreditation, to determine the extent to which\nthe controls are implemented correctly, operating as intended, and producing the desired\noutcome with respect to meeting the security requirements for the system. Three of the Security\nTest and Evaluation Plans and Reports included an appendix with test procedure worksheets\nused to record the results of the testing. The test objectives on the test procedure worksheets\ncorrespond to the control objectives in the NIST SP 800-26 self-assessment. Each test objective\nis marked as either pass, fail, or not applicable. A test objective marked as pass represents a\nsecurity control that is in place. The format of the Security Test and Evaluation Plan and Report\nfor the fourth system was different from the other three, so only the self-assessment was used to\nidentify security controls in place for that system.\n\nCarson Associates found several areas in the system security plans for all four systems where\ncontrols were not described. Carson Associates identified several cases where either the self-\nassessment and/or the test procedure worksheet indicated a control was in place, but it was not\ndescribed in the security plan. Carson Associates also identified several instances where the\ninformation in the security plan, self-assessment and/or test procedure worksheets was\ninconsistent. Security plans should describe all controls currently in place. In-place controls are\nthose marked at least at Level 3 in the self-assessment, and that passed during security test and\nevaluation. The self-assessment should also reflect all controls in place. In-place controls are\nthose that passed during security test and evaluation.\n\nContingency Plans\n\nCarson Associates used NIST SP 800-34, Contingency Planning Guide for Information\nTechnology Systems, to evaluate the contingency plans (referred to as business continuity plans)\nof the four NRC systems. Carson Associates found that the business continuity plans (BCPs)\nwere consistent with NIST SP 800-34 guidance for the most part, but there were several areas\nwhere information was missing, or out of date. The following are some examples:\n\n   \xe2\x80\xa2   Some of the BCPs did not include information on what changes have been made to the\n       plan and when. According to the agency, NRC requires annual updates of all BCPs,\n       however NRC only requires conformance with current NIST guidance at the time of re-\n       accreditation. However, without information on what changes were made and when,\n       Carson Associates could not determine whether the BCPs that were reviewed were\n       updated as part of the annual requirement, or as part of a system re-accreditation. NIST\n       SP 800-34 states that the contingency plan should be a living document that is changed as\n       required to reflect system, operational, or organizational changes. Modifications made to\n\n\n\n                                                 22\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n         the plan should be recorded in a record of changes, which lists the page number, change\n         comment, and date of change.\n    \xe2\x80\xa2    The personnel contact information in some of the BCPs was not up-to-date and did not\n         include notification procedures or contact information for notifying personnel during\n         non-business hours. In some cases, the BCPs did not include personnel contact\n         information for team leaders, alternate team leaders, or team members. Not having up-to-\n         date contact information to reach the designated teams during both business and non-\n         business hours may cause delays in the disaster recovery process.\n    \xe2\x80\xa2    Some BCPs did not include procedures for restoring system operations that include\n         procedures for cleaning the alternate site of any equipment or other materials belonging\n         to the organization, with a focus on handling sensitive information. These procedures are\n         necessary to ensure that no sensitive materials remain at the alternate site.\n\nRECOMMENDATION\n\n    The Office of the Inspector General recommends that the Executive Director for Operations:\n\n    14. Develop a process for ensuring security documentation supporting system certification\n        and accreditation is consistent with NIST guidelines.\n\nSecurity Protection Requirements Are Inconsistent Within Security Documentation\n\nFISMA defines the term \xe2\x80\x9cinformation security\xe2\x80\x9d to mean protecting information and information\nsystems from unauthorized access, use, disclosure, disruption, modification, or destruction in\norder to provide confidentiality, integrity, and availability. Confidentiality is preserving\nauthorized restrictions on information access and disclosure, including means for protecting\npersonal privacy and proprietary information. Integrity is guarding against improper information\nmodification or destruction, and includes ensuring information non-repudiation and authenticity.\nAvailability is ensuring timely and reliable access to and use of information. Confidentiality,\nintegrity and availability are often referred to as security protection requirements or security\nobjectives for a system.\n\nFederal Information Processing Standards Publication 199, Standards for Security\nCategorization of Federal Information and Information Systems, requires all Federal agencies to\ncategorize their systems by assigning potential impact levels to the three security objectives. The\npotential impact is low if the loss of confidentiality, integrity, or availability could be expected to\nhave a limited adverse effect on organizational operations, organizational assets, or individuals.7\nThe potential impact is moderate (medium) if the loss of confidentiality, integrity, or availability\ncould be expected to have a serious adverse effect on organizational operations, organizational\nassets, or individuals. The potential impact is high if the loss of confidentiality, integrity, or\navailability could be expected to have a severe or catastrophic adverse effect on organizational\noperations, organizational assets, or individuals.\n\n\n7\n Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are\nentitled under law.\n\n\n                                                          23\n\x0c                                                                                  Independent Evaluation of\n                                                                   NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nThree of the four systems had different security protection requirements in their security plans\nand the self-assessments. The protection requirements should be consistent across the security\ndocumentation for a system. A change in protection requirements could indicate a need to re-\nevaluate the risks to the system, especially if the change is from a lower rating to a higher one. If\nthe protection requirements have changed since the system\xe2\x80\x99s security plan was finalized, then an\nexplanation for the change should be noted on the self-assessment.\n\nRECOMMENDATION\n\n    The Office of the Inspector General recommends that the Executive Director for Operations:\n\n    15. Develop a process for ensuring security protection requirements (confidentiality,\n        integrity, availability) are consistently defined in security plans and self-assessments.\n\nSecurity Test and Evaluation for One System Was Not Comprehensive and Not\nIndependent\n\nNIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information\nSystems, states that \xe2\x80\x9cSecurity certification is a comprehensive assessment of the management,\noperational, and technical security controls in an information system, made in support of security\naccreditation, to determine the extent to which the controls are implemented correctly, operating\nas intended, and producing the desired outcome with respect to meeting the security\nrequirements for the system.\xe2\x80\x9d The security test and evaluation plans and reports for three of the\nfour systems demonstrated that comprehensive testing was performed on the security controls of\nthose systems. However, the security test and evaluation conducted on the fourth system was not\ncomprehensive and was not performed by an independent party.\n\nThe test scenarios used in the system\xe2\x80\x99s security test and evaluation plan only tested user\nauthentication, user logon, password management, user logoff, user profiles and user groups.\nWhile this type of testing may be appropriate as a part of the life cycle testing performed during\nthe implementation phase, it is not appropriate for security test and evaluation associated with\ncertification of a system.\n\nNIST SP 800-30 recommends using vulnerability sources, system security testing, and\ndeveloping a security requirements checklist for identifying system vulnerabilities. The\nmethodology needed to identify vulnerabilities varies, depending on the system\xe2\x80\x99s phase in the\nlife cycle. The system was in the implementation phase when the risk assessment was\nconducted. NIST SP 800-30 states that identification of vulnerabilities for systems in this phase\nshould include more specific information, such as the planned security features described in the\nsecurity design documentation and the results of system certification test and evaluation.\nQuestionnaires and interviews with personnel responsible for the system were used to identify\ntechnical and non-technical vulnerabilities, resulting in identification of generic technical and\nnon-technical risk controls. However, the risk assessment did not identify any actual\nthreats/vulnerabilities to the system, therefore, it is essential that the security test and evaluation\ninclude a comprehensive assessment of management, operational, and technical controls. For\nexample, the risk assessment identified the environment in which the system is installed as a\npotential vulnerability. The security test and evaluation did not test any physical controls.\n\n\n                                                   24\n\x0c                                                                                 Independent Evaluation of\n                                                                  NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n\n\nThe security test and evaluation plan described the process the tester should follow when failures\nor problems are found \xe2\x80\x93 after the problem is resolved, the correction is tested again. If the failure\nor problem is found during integration or system testing, then regression testing is also supposed\nto be performed. However, there are several tests that appear to have been recorded first as a\nfail, then changed to a pass. None of the pages where failures appear to be noted have an\nindication of what caused the test to fail, what corrections (if any) were made to the system to\ncorrect the error, and when the test was repeated after the correction was made.\n\nThe contractor who developed the system performed the security test and evaluation. This is\ncontrary to guidance in NIST SP 800-37. To preserve the impartial and unbiased nature of the\nsecurity certification, the certification agent should be in a position that is independent from the\npersons directly responsible for the development of the information system and the day-to-day\noperation of the system. The certification agent should also be independent of those individuals\nresponsible for correcting security deficiencies identified during the security certification. The\nindependence of the certification agent is an important factor in assessing the credibility of the\nsecurity assessment results and ensuring the authorizing official receives the most objective\ninformation possible in order to make an informed, risk-based, accreditation decision. When the\npotential agency-level impact is moderate or high, certification agent independence is needed\nand justified.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      16. Develop a process for ensuring security test and evaluation in support of certification and\n          accreditation is comprehensive and independent.\n\n3.4       Security Configurations and Patching\n\nNRC 2004 OMB FISMA Report Section D\n\nThe CIO has implemented several policies that address security configurations and their\nimplementation. The CIO developed a NRC System Security Baseline Implementation Plan,\nwith an objective to establish, develop, implement, maintain, and verify secure baseline\nconfigurations for all information systems. The NRC program is based on Center for Internet\nSecurity Benchmarks and Scoring Tools. NRC personnel compiled and researched\nrecommended \xe2\x80\x9cbest practice\xe2\x80\x9d technical settings and actions and developed \xe2\x80\x9cin house\xe2\x80\x9d\nbenchmarks for those platforms for which a benchmark has yet to be developed. The following\nplatforms are the focus of the initiative:\n\n      \xe2\x80\xa2   Microsoft NT\n      \xe2\x80\xa2   Microsoft Windows 2000\n      \xe2\x80\xa2   Novell NetWare\n      \xe2\x80\xa2   Sun Solaris\n      \xe2\x80\xa2   IBM AIX\n\n\n                                                   25\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n   \xe2\x80\xa2   Linux\n\nFollow-up initiatives will address upcoming operating systems (e.g., Windows XP), and lesser-\nutilized operating systems, specific applications (e.g., web servers), networking infrastructure\ndevices (e.g., routers), and other miscellaneous systems and devices (e.g., wireless). The scope\nof the plan is all NRC systems running operating systems listed above and includes all systems\nthat are currently in an \xe2\x80\x9cactive\xe2\x80\x9d state and are components of the primary NRC LAN/WAN.\n\nThe plan describes the methodology as comprising four steps:\n\n   \xe2\x80\xa2   Benchmark definition \xe2\x80\x93 NRC is using Center for Internet Security terminology for\n       benchmarks \xe2\x80\x93 Level-I and Level-II, with Level-II being more secure. The goal for the\n       initiative is to have NRC systems satisfy Level-I benchmark criteria.\n   \xe2\x80\xa2   Identification of security benchmarks \xe2\x80\x93 NRC has identified six initial benchmarks as\n       described earlier.\n   \xe2\x80\xa2   Security benchmark implementation \xe2\x80\x93 Only systems running one of the six operating\n       systems described earlier are covered by the initiative. The plan also discusses plans for\n       ensuring a Benchmark compliant desktop image.\n   \xe2\x80\xa2   Scoring tools and system reviews \xe2\x80\x93 The scoring tools must be installed on each system\n       that it will be run against. Automated tools have not yet been selected/developed for\n       IBM AIX or Novell NetWare, so manual system reviews will be required. The minimum\n       scoring tool score for any NRC system should be a seven. After NRC system\n       administrators have implemented the security benchmarks, a sample of representative\n       systems will be selected to verify that baseline configurations are not only completed, but\n       also completed satisfactorily.\n\nThe plan states that, while the goal is to score at least a seven, ideally, every NRC system should\nscore a ten unless a valid operational reason or justification can be provided. The plan also states\nthat different systems have different operational requirements, and the decision may be made to\nleave certain services running or not to configure certain security parameters. This is acceptable,\nas long as informed decisions are being made to deviate from the established benchmark.\nAppendix A of the plan contains a list of NRC servers requiring security baseline\nimplementation.\n\nCarson Associates reviewed a Security Benchmark Compliance Tracking report that tracks NRC\nsystem administrator progress towards implementing secure operating system benchmarks on\nNRC servers, and determining system compliance with benchmarks through the reporting of\nbenchmark scoring tool results. The document includes a compliance tracking table that lists the\nscores for servers that have had benchmarks applied to them. The document discusses concerns\nadministrators had with trying to score at least a seven on their benchmark implementation. The\ndocument states that a score of seven was arbitrarily selected so that administrators would strive\nto make systems as secure as possible. If it is determined that the best score obtainable for a\nsystem in its given environment is a five, then that is acceptable, as long as explanation as to why\na five is the best score is provided. The review team compared the table in the document to\nAppendix A of the NRC System Security Baseline Implementation Plan, and found that the\n\n\n\n                                                 26\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nmajority of the servers initially identified as requiring security baseline implementation have had\nit completed.\n\nIn addition to the six benchmarks NRC is currently using, NRC is also using industry guidelines\nfor establishing baselines for Microsoft Internet Information Server and Microsoft SQL Server.\nNational Security Agency guidelines are being used to \xe2\x80\x9charden\xe2\x80\x9d new boxes running either of\nthese services. The next \xe2\x80\x9cplatform\xe2\x80\x9d NRC plans to focus on is the Citrix servers. The Citrix\nvendor came in as part of a pilot project and deployed new Citrix servers. The vendor provided\ndocuments on Citrix best practices for securing Citrix servers. The servers also went through the\nConsolidated Test Facility standard auditing process.\n\nFor desktops, NRC has developed a standard image for Windows XP, based on NIST best\npractices. The majority of desktops at NRC are Windows NT and are being upgraded to\nWindows XP. NRC uses workstation upgrades that are \xe2\x80\x9cpushed\xe2\x80\x9d at login to keep Windows NT\ndesktop configurations consistent across NRC. LANDesk can also be used to push upgrades to\nthe desktops. Network bulletins are used to announce agency workstation updates. The bulletins\ndescribe the nature of the upgrade, and that it will occur using an automated procedure that will\noccur during network login. The bulletin includes, as an attachment, the schedule of when the\nupgrade will take place for each office in NRC.\n\nNRC currently has only one Windows 2003 server. The Windows 2000 best practices were used\nto \xe2\x80\x9charden\xe2\x80\x9d this server, as there are not any established baselines for Windows 2003 available.\nFor the Cisco routers, NRC used the Router Audit Tool. The \xe2\x80\x9chardening\xe2\x80\x9d was done only once,\nwhen the LAN/WAN was certified and accredited. NRC policy for routers is that once the\nconfiguration is set, as long as it stays the same, they do not need to be audited on a periodic\nbasis.\n\nNRC developed system security screening guidelines for preparing new systems for\nimplementation into the NRC production operating environment. The security screening ensures\nthat the system configuration meets NRC LAN/WAN security requirements. The guidelines\noutline the steps necessary to request and perform the security screening process, guidance on\nmanaging and developing a secure system, and industry best practices and additional resources.\nThe review team evaluated Security Screening Forms, results from scoring tools, results from the\nMicrosoft Baseline Security Analyzer, and results from system scans for a few servers and found\nthat the system security screening guidelines are being followed.\n\nThe benchmarks used at NRC include checks for the latest patches. The Microsoft Security\nBaseline Analyzer, which is also used when \xe2\x80\x9chardening\xe2\x80\x9d Windows servers, also checks for the\nlatest patches. The process for implementing changes to servers described above also addresses\npatching of security vulnerabilities.\n\n3.5    Incident Detection and Handling Procedures, and Incident Reporting and\n       Analysis\n\nNRC 2004 OMB FISMA Report Section E and F\n\n\n\n\n                                                 27\n\x0c                                                                                       Independent Evaluation of\n                                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nNRC\xe2\x80\x99s Information Systems Security Incident Response Procedures define the procedures for\nreporting incidents internally, for external reporting to law enforcement, and for reporting to the\nUnited States Computer Emergency Readiness Team (US-CERT)8. The procedures define the\nroles and responsibilities of the Computer Security Incident Response Capability \xe2\x80\x93 a team of\nhighly skilled and knowledgeable NRC staff responsible for responding to computer security\nincidents.\n\nThe procedures for reporting and responding to information systems security incidents include\nprocedures for:\n\n    \xe2\x80\xa2   NRC employees and system users\n    \xe2\x80\xa2   The general public\n    \xe2\x80\xa2   Help Desk personnel\n    \xe2\x80\xa2   NRC OCIO Network Operations Center\n    \xe2\x80\xa2   LAN/WAN Information System Security Officer and Computer Security Incident\n        Response Capability Team\n    \xe2\x80\xa2   Director, OCIO, Infrastructure Computing Operations Division\n\nThe procedures define reporting requirements for security incidents on a daily, weekly, and\nmonthly basis. The NRC LAN/WAN Information System Security Officer (ISSO) develops a\nmonthly report to send US-CERT on incidents at NRC. The procedures include contact\ninformation for notifying US-CERT about security incidents.\n\nThe NRC uses severity levels to categorize information security incidents. These labels convey\ninformation about the nature and impact of incidents in summary reports and verbal\ncommunications. The severity levels do not equate one-for-one with US-CERT priority levels,\nhowever the NRC reporting process provides a means to ensure that all required incident\ninformation is conveyed to US-CERT in a timely manner. NRC has not had any successful\nsecurity incidents in FY 2004, other than an occasional virus infection.\n\nNRC uses a variety of tools, techniques, and technologies to mitigate IT security risk. NRC uses\nnetwork vulnerability assessment tools to perform scans of critical systems on a periodic basis.\nNRC has performed external penetration testing of their network and systems, and internal\npenetration testing is schedule to begin soon. NRC also performs periodic testing for wireless\naccess points (NRC currently does not permit wireless access points, except during pilot tests).\nVirus detection software is installed on all mail servers and desktops. A critical server\nsupporting the Electronic Information Exchange requires client certificates for access.\n\nNRC uses a cache flow web proxy device to block active content and block access to specific\nweb sites that NRC has identified as inappropriate. All outgoing telnet and file transfer protocol\nmust go through the NRC proxy as well. There is an intrusion detection system at the perimeter\nand software that can detect unauthorized changes to files has been installed on the NRC web\n\n\n8\n  The procedures actually reference reporting to the Federal Computer Incident Response Center, which was\nreplaced with the US-CERT when the Department of Homeland Security was established.\n\n\n                                                       28\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nserver. OCIO staff members review firewall and intrusion detection logs on a daily basis. Logs\nfrom the NRC\xe2\x80\x99s web server are also reviewed daily.\n\nNRC is currently piloting a new vulnerability management system that identifies network\nvulnerabilities and provides extensive flexibility to allow NRC to tailor the vulnerability\nmanagement process to meet their business requirements in addition to their network security\nneeds.\n\n3.6    Security Awareness and Training\n\nNRC 2004 OMB FISMA Report Section G\n\nAll new NRC employees receive computer security orientation when they begin employment at\nthe agency. This orientation program consists of an oral presentation and a video. A member of\nthe computer security staff also talks to the new personnel. Annual computer security training\nhas been mandated for all employees since 1987 and is provided via an on-line ten-part security\nawareness course. OCIO maintains a database of personnel who have taken the security\nawareness course and cross checks the list on a regular basis with an employee list provided by\nNRC Human Resources. A member of the computer security staff sends a message to offices\naround the first of the month reminding them to have their employees take the course.\n\nNRC\xe2\x80\x99s online computer security training courses were updated in FY 2004 to reflect the latest\nguidance from FISMA. A network announcement was distributed and all employees and\ncontractors with IT system access have begun taking the updated course. FISMA requires that\nthe computer security awareness course be completed annually. NRC also conducted its annual\n\xe2\x80\x9cComputer Security Awareness Day\xe2\x80\x9d on November 20th, 2003. Over 200 employees and\ncontractors attended the guest speaker\xe2\x80\x99s presentation, and approximately 650 individuals visited\nbooths in the Exhibit Hall.\n\nPositions with significant security responsibilities are defined with qualifications criteria, and the\nresponsibilities are documented in position descriptions. OCIO maintains a list of all personnel\nwith specialized security responsibilities, such as the ISSOs formally appointed for each of the\napplications and systems. ISSOs must sign an acknowledgement of their responsibilities when\ntaking the position. All ISSOs are required to take an on-line ISSO training course in addition to\nthe on-line security awareness course.\n\nIn addition to the on-line courses, the agency uses Yellow Announcements to remind employees\nof NRC information technology security policies. Recent Yellow Announcements include topics\nsuch as the use of the Internet at NRC, misuse of agency computers, the Privacy Act at NRC, and\ninterim guidance for Official Use Only Information. The agency also uses network bulletins sent\nvia e-mail to alert employees of potential security concerns. For example, employees were\nrecently warned about suspicious e-mails requesting CitiBank account information. Security\nawareness articles are frequently published in NRC\xe2\x80\x99s newsletter and OCIO holds occasional\nseminars on security topics, such as the spam seminar held in July 2004.\n\nAgency staff and contractors are advised of the dangers of peer-to-peer applications during their\nannual web based security training. The on-line security awareness course includes a discussion\n\n\n                                                  29\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\nof the dangers of peer-to-peer applications such as instant messaging and there are plans to\naddress the subject in more detail in the next version of the on-line security awareness course.\nAgency policy does not explicitly prohibit peer-to-peer applications, however the agency\xe2\x80\x99s\nfirewall policy does indicate that there should be no non-proxied connection from the agency\nwithout explicit approval. Currently certain firewall filters have been put in place to block\nspecific peer-to-peer applications. While some peer-to-peer applications may be able to traverse\nthe firewall, new filters are created to combat these connections as the connections are\ndiscovered. The new firewall, planned for implementation in September 2004 will allow peer-\nto-peer applications to be blocked more easily. One type of instant messaging is permitted in\none of NRC\xe2\x80\x99s regions to provide Section 508 support for an employee.\n\nNRC is currently developing a security awareness and training plan in accordance with Office of\nPersonnel Management final regulations concerning information technology security awareness\n(5 CFR Part 930, Subpart C, effective June 14, 2004).\n\n\n\n\n                                               30\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Remove sensitive data from Management Directive 12.5, NRC Automated Information\n       Security Program, which should not be disclosed to the public.\n    2. Update the Security Services Agreement between the Department of the Interior National\n       Business Center and NRC to include a requirement to exchange relevant system security\n       plans.\n    3. Develop a Service Level Agreement and Interconnect Security Agreement between the\n       Department of the Interior National Business Center and NRC as described in the DOI\n       Evaluation Report, \xe2\x80\x9cReview of Information System Security over Systems and\n       Applications Used by the National Business Center to Provide Services to Non-\n       Department of the Interior Clients.\xe2\x80\x9d\n    4. Update the Service Level Agreement between NRC and the National Institutes of Health.\n    5. Re-certify and re-accredit the NRC Data Center/Telecommunications System.\n    6. Re-certify and re-accredit the NRC Local Area Network/Wide Area Network.\n    7. Re-certify and re-accredit the Emergency Response Data System.\n    8. Re-certify and re-accredit the Emergency Telecommunications System.\n    9. Update the NRC Local Area Network/Wide Area Network Risk Assessment.\n    10. Update the NRC Local Area Network/Wide Area Network Business Continuity Plan.\n    11. Refine the procedures for identifying weaknesses to be tracked in the Information\n        Technology Systems Security Tracking System.\n    12. Report corrected weaknesses on the POA&M for a year after their completion.\n    13. Include a completion date in the Status column of the POA&M.\n    14. Develop a process for ensuring security documentation supporting system certification\n        and accreditation is consistent with NIST guidelines.\n    15. Develop a process for ensuring security protection requirements (confidentiality,\n        integrity, availability) are consistently defined in security plans and self-assessments.\n    16. Develop a process for ensuring security test and evaluation in support of certification and\n        accreditation is comprehensive and independent.\n\n\n\n\n                                                  31\n\x0c                                                                        Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n5     OIG Response to Agency Comments\n\nOn September 22, 2004, the Executive Director for Operations provided comments concerning\nthe draft Independent Evaluation Report and NRC 2004 OMB FISMA Report. We modified the\nreports as we determined appropriate in response to these comments.\n\n\n\n\n                                            32\n\x0c                                                                    Appendix A \xe2\x80\x93 Scope and Methodology\n                                                                               Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\nSCOPE AND METHODOLOGY\n\n\nThe scope of this independent evaluation of the U.S. Nuclear Regulatory Commission (NRC)\ninformation security program included:\n\n   \xe2\x80\xa2   NRC major applications and general support systems\n   \xe2\x80\xa2   NRC local area network/wide area network equipment\n   \xe2\x80\xa2   Information technology equipment supporting NRC systems\n\nThe independent evaluation did not include controls related to the management of safeguards or\nclassified information.\n\nTo accomplish the independent evaluation objectives, the independent evaluation team\nconducted interviews with Office of the Chief Information Officer staff members, and NRC\nsystem owners. The team reviewed documentation provided by NRC including risk\nassessments; security plans; contingency plans; security test and evaluation plans and reports;\ncertification and accreditation reports; and other security reviews conducted by or on behalf of\nNRC.\n\nAll analyses were performed in accordance with guidance from the following:\n\n   \xe2\x80\xa2   National Institute of Standards and Technology standards and guidelines\n   \xe2\x80\xa2   U.S. Nuclear Regulatory Commission Management Directive 12.5, NRC Automated\n       Information Systems Security Program\n   \xe2\x80\xa2   NRC Office of the Inspector General Audit Guidance\n\nThis work was conducted between June 2004 and September 2004. The work was conducted by\nJane Laroussi, Virgil Isola, Anthony Van Dyck, and Diane Reilly from Richard S. Carson &\nAssociates, Inc.\n\n\n\n\n                                                33\n\x0c                                  Appendix A \xe2\x80\x93 Scope and Methodology\n                                             Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              34\n\x0c                                                            Appendix B \xe2\x80\x93 NRC 2004 OMB FISMA Report\n                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\nNRC 2004 OMB FISMA REPORT\n\n\nOffice of Management and Budget Memorandum M-04-25, FY 2004 Reporting Instructions for\nthe Federal Information Security Management Act, instructs each agency and agency Inspector\nGeneral to provide responses for each of the performance measures in a Microsoft Excel\nspreadsheet reporting template that was provided as Section E of the Memorandum. This\nappendix presents the performance measures prepared by the Richard S. Carson Associates, Inc.,\non the behalf of the U.S. Nuclear Regulatory Commission Office of the Inspector General.\n\n\n\n\n                                              35\n\x0c                             Appendix B \xe2\x80\x93 NRC 2004 OMB FISMA Report\n                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2004\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              36\n\x0c                             2004 FISMA Report\nAgency:                             Nuclear Regulatory Commission\n\n\nDate Submitted:        09/24/2004\n\nSubmitted By:          OIG\n\nContact Information:\n           Name:       Vicki Foster\n           E-mail:     vxf@nrc.gov\n           Phone:      (301) 415-5909\n\n\n                       To enter data in allowed fields, use password: fisma\n\x0c                                                                                           NRC Report to OMB\n\n\nSection A: System Inventory and IT Security Performance\nNOTE: ALL of Section A should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n\n   A.1. By bureau (or major agency operating component), identify the total number of programs and systems in the agency and the total number of contractor operations or facilities. The agency CIOs\n   and IG\'s shall each identify the total number that they reviewed as part of this evaluation in FY04. NIST 800-26, is to be used as guidance for these reviews.\n\n\n\n   A.2. For each part of this question, identify actual performance in FY04 for the total number of systems by bureau (or major agency operating component) in the format provided below.\n\n\n                                                               A.1                                                                                  A.2\n                                        A.1.a.               A.1.b.               A.1.c.               A.2.a.                A.2.b.               A.2.c.                A.2.d.                A.2.e.\n\n                                   FY04 Programs        FY04 Systems        FY04 Contractor         Number of             Number of             Number of      Number of systems     Number of\n                                                                             Operations or       systems certified      systems with        systems for which with a contingency systems for which\n                                                                               Facilities         and accredited       security control      security controls        plan          contingency\n                                                                                                                       costs integrated      have been tested                     plans have been\n                                                                                                                      into the life cycle    and evaluated in                          tested\n                                                                                                                        of the system          the last year\n\n\n\n                                   Total   Number   Total    Number   Total   Number   Total   Percent of  Total  Percent of  Total   Percent of  Total   Percent of  Total  Percent of\n          Bureau Name             Number Reviewed Number Reviewed Number Reviewed Number         Total    Number    Total    Number     Total    Number     Total    Number    Total\n   NRC                                   1        1       17        4       7        3      17    100.0%       17    100.0%        16     94.1%        16     94.1%       16     94.1%\nAgency Total                             1        1       17        4       7        3      17    100.0%       17    100.0%        16     94.1%        16     94.1%       16     94.1%\n\nComments:\n\nThirteen of the systems are major applications, and four are general support systems. NRC also has two major applications in development, for a total of 19 systems. Three of the systems are operating\nunder an interim accreditation. The OIG reviewed 4 major applications in detail. Of the 7 contractor operations or facilities, OIG reviewed 2 in conjunction with the system reviews, and reviewed a recent\nnetwork security testing report for another.\n\n\n\n\n                                                                                                  2 of 10\n\x0c                                                                                            NRC Report to OMB\n\n                                                                                                    A.3\n\n\n   A.3. Evaluate the degree to which the following statements reflect the status in your agency, by choosing from the responses provided in the drop down menu. If appropriate or necessary, include\n   comments in the Comment area provided below.\n\n\n                                                               Statement                                                                                            Evaluation\n\n\n        a. Agency program officials and the agency CIO have used appropriate methods to ensure that contractor provided services or\n        services provided by another agency for their program and systems are adequately secure and meet the requirements of                          Almost Always, or 96-100% of the time\n        FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n\n        b. The reviews of programs, systems, and contractor operations or facilities, identified above, were conducted using the NIST\n                                                                                                                                                          Frequently, or 71-80% of the time\n        self-assessment guide, 800-26.\n\n\n        c. In instances where the NIST self-assessment guide was not used to conduct reviews, the alternative methodology used\n                                                                                                                                                      Almost Always, or 96-100% of the time\n        addressed all elements of the NIST guide.\n\n\n        d. The agency maintains an inventory of major IT systems and this inventory is updated at least annually.                                     Almost Always, or 96-100% of the time\n\n\n        e. The OIG was included in the development and verification of the agency\xe2\x80\x99s IT system inventory.                                              Almost Always, or 96-100% of the time\n\n\n        f. The OIG and the CIO agree on the total number of programs, systems, and contractor operations or facilities.                               Almost Always, or 96-100% of the time\n\n\n        g. The agency CIO reviews and concurs with the major IT investment decisions of bureaus (or major operating components)\n                                                                                                                                                      Almost Always, or 96-100% of the time\n        within the agency.\n\n                                                               Statement                                                                                             Yes or No\n\n\n        h. The agency has begun to assess systems for e-authentication risk.                                                                                            Yes\n\n\n        i. The agency has appointed a senior agency information security officer that reports directly to the CIO.                                                      Yes\n\n\nComments:\nb. NRC uses NIST SP 800-26 for reviewing their own programs and systems, however NRC primarily uses methods other than NIST SP 800-26 for reviewing contractor operations and facilities. NRC\npresumes that that two agencies supporting NRC are also following FISMA and NIST guidelines, and there are agreements in place with the 2 Federal agencies. For contractors and commercial\nentities providing services, NRC includes security requirements in contract language.\n\ne. The OIG does not participate in the development of the agency\'s major IT system inventory, but does verify the inventory is accurate and up to date.\n\ni. NRC\'s SITSO left the agency in late 2003 in late 2003, and as of December 12, 2003, the Director of the Program Management, Policy Development, and Analysis Staff within the Office of the Chief\nInformation Officer is currently serving as acting SITSO. The agency is in the process of looking for someone to fill the position and anticipates hiring a new SITSO in the next 60 days. The former\nSITSO did not report directly to the CIO, and the new SITSO, once hired, will also not report directly to the CIO. The SITSO will report to the Director of the Program Management, Policy Development,\nand Analysis Staff within the Office of the Chief Information Officer on day-to-day matters, and will have direct access to the CIO on any computer security issues.\n\n\n\n\n                                                                                                  3 of 10\n\x0c                                                                              NRC Report to OMB\n\n\nSection B: Identification of Significant Deficiencies\nNOTE: ALL of Section B should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n\n   B.1. By bureau, identify all FY 04 significant deficiencies in policies, procedures, or practices required to be reported under existing law. Describe each on a separate row,\n   and identify which are repeated from FY03. In addition, for each significant deficiency, indicate whether a POA&M has been developed. Insert rows as needed.\n\n\n                                                                                      B.1.\n                                                                                               FY04 Significant Deficiencies\n                                                            Total Number                                                                                             POA&M\n                                               Total          Repeated                                                                                             developed?\n               Bureau Name                    Number         from FY03                   Identify and Describe Each Significant Deficiency                          Yes or No\nNRC                                                     0               0\nAgency Total                                            0              0\n\nComments:\n\n\n\n\n                                                                                     4 of 10\n\x0c                                                                          NRC Report to OMB\n\n\nSection C: OIG Assessment of the POA&M Process\nNOTE: Section C should *ONLY* be completed by the OIG. The CIO should leave this section blank.\nTo enter data in allowed fields, use password: fisma\n\n   C.1. Through this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency-wide plan of\n   action and milestone (POA&M) process. This question is for IGs only. Evaluate the degree to which the following statements reflect the status in your agency by\n   choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the Comment area provided below.\n\n                                                                                   C.1\n                                                 Statement                                                                          Evaluation\n\n        a. Known IT security weaknesses, from all components, are incorporated into the POA&M.                   Almost Always, or 96-100% of the time\n\n        b. Program officials develop, implement, and manage POA&Ms for systems they own and\n                                                                                                                 Almost Always, or 96-100% of the time\n        operate (systems that support their program or programs) that have an IT security weakness.\n\n        c. Program officials report to the CIO on a regular basis (at least quarterly) on their remediation\n                                                                                                                 Almost Always, or 96-100% of the time\n        progress.\n\n        d. CIO develops, implements, and manages POA&Ms for every system they own and operate (a\n                                                                                                                 Almost Always, or 96-100% of the time\n        system that supports their program or programs) that has an IT security weakness.\n\n        e. CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.          Almost Always, or 96-100% of the time\n\n        f. The POA&M is the authoritative agency and IG management tool to identify and monitor agency\n                                                                                                                 Almost Always, or 96-100% of the time\n        actions for correcting information and IT security weaknesses.\n        g. System-level POA&Ms are tied directly to the system budget request through the IT business\n                                                                                                                 Almost Always, or 96-100% of the time\n        case as required in OMB budget guidance (Circular A-11).\n\n        h. OIG has access to POA&Ms as requested.                                                                Almost Always, or 96-100% of the time\n\n        i. OIG findings are incorporated into the POA&M process.                                                 Almost Always, or 96-100% of the time\n        j. POA&M process prioritizes IT security weaknesses to help ensure that significant IT security\n                                                                                                                 Almost Always, or 96-100% of the time\n        weaknesses are addressed in a timely manner and receive appropriate resources.\n\nComments:\nThe CIO maintains an internal tracking system used as a POA&M tool for tracking security weaknesses of all NRC systems, not just those owned by CIO. Program\nofficials are still responsible for providing inputs to the tracking system, for correcting weaknesses, and for providing updates to CIO. CIO uses a separate POA&M to\ntrack weaknesses reported to OMB on a quarterly basis.\n\n\n\n\n                                                                                 5 of 10\n\x0c                                                             NRC Report to OMB\n\n\nC.1 OIG Assessment of the Certification and Accreditation Process\nSection C should only be completed by the OIG. OMB is requesting IGs to assess the agency\xe2\x80\x99s certification and accreditation process in\norder to provide a qualitative assessment of this critical activity. This assessment should consider the quality of the Agency\xe2\x80\x99s certification and\naccreditation process. Any new certification and accreditation work initiated after completion of NIST Special Publication 800-37 should be\nconsistent with NIST Special Publication 800-37. This includes use of the FIPS 199, \xe2\x80\x9cStandards for Security Categorization of Federal\nInformation and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\nrisk assessments and security plans. Earlier NIST guidance is applicable to any certification and accreditation work completed or initiated\nbefore finalization of NIST Special Publication 800-37. Agencies were not expected to use NIST Special Publication 800-37 as guidance\nbefore it became final.\n\n                                     Statement                                                                 Evaluation\n     Assess the overall quality of the Agency\'s certification and accreditation\n     process.\n\n     Comments: The OIG reviewed the C&A packages for four systems as part of\n     the system evaluations conducted for the FY 2004 FISMA review. All systems\n     followed the NRC C&A process, which is based on NIST guidance. All of the\n     C&A packages for the systems that were reviewed contained all of the required\n     documentation (i.e., risk assessment, security plan, security test and evaluation\n     plan and report, contingency plan, contingency plan test report, ISSO                 Good\n     appointment memo, certification report with certification signature, and\n     accreditation signature). However, in some cases the documentation was not\n     consistent with NIST guidelines, and in some cases, security protection\n     requirements (confidentiality, integrity, availability) were inconsistent within\n     security documentation. Security test and evaluation conducted on one system\n     as part of the C&A of the system was not comprehensive and was not\n     performed by an independent party.\n\n\n\n\n                                                                    6 of 10\n\x0c                                                                     NRC Report to OMB\n\n\nSection D\nNOTE: ALL of Section D should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n\n   D.1. First, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E. For D.1.a-f, identify whether agencywide security configuration\n   requirements address each listed application or operating system (Yes, No, or Not Applicable), and then evaluate the degree to which these configurations\n   are implemented on applicable systems. For example: If your agency has a total of 200 systems, and 100 of those systems are running Windows 2000,\n   the universe for evaluation of degree would be 100 systems. If 61 of those 100 systems follow configuration requirement policies, and the configuration\n   controls are implemented, the answer would reflect "yes" and "51-70%". If appropriate or necessary, include comments in the Comment area provided\n   below.\n   D.2. Answer Yes or No, and then evaluate the degree to which the configuration requirements address the patching of security vulnerabilities. If\n   appropriate or necessary, include comments in the Comment area provided below.\n                                                                        D.1. & D.2.                                        D.1.              D.2.\n                                                                                                                           Yes,\n                                                                                                                          No, or\n                                                                                                                           N/A           Evaluation\nD.1. Has the CIO implemented agencywide policies that require detailed specific security configurations and what is the\ndegree by which the configurations are implemented?                                                                        Yes\n                                                                                                                                    Almost Always, or 96-\n                 a. Windows XP Professional\n                                                                                                                           Yes      100% of the time\n                                                                                                                                    Almost Always, or 96-\n                 b. Windows NT\n                                                                                                                           Yes      100% of the time\n                 c. Windows 2000 Professional                                                                              N/A\n                                                                                                                                    Almost Always, or 96-\n                 d. Windows 2000\n                                                                                                                           Yes      100% of the time\n                                                                                                                                    Almost Always, or 96-\n                 e. Windows 2000 Server\n                                                                                                                           Yes      100% of the time\n                                                                                                                                    Almost Always, or 96-\n                 f. Windows 2003 Server\n                                                                                                                           Yes      100% of the time\n                                                                                                                                    Almost Always, or 96-\n                 g. Solaris\n                                                                                                                           Yes      100% of the time\n                 h. HP-UX                                                                                                  No\n                                                                                                                                    Almost Always, or 96-\n                 i. Linux\n                                                                                                                           Yes      100% of the time\n                                                                                                                                    Almost Always, or 96-\n                 j. Cisco Router IOS\n                                                                                                                           Yes      100% of the time\n                 k. Oracle                                                                                                 N/A\n                                                                                                                                    Almost Always, or 96-\n                 l. Other. Specify: Novell, AIX\n                                                                                                                           Yes      100% of the time\n                                                                                                                          Yes or\n                                                                                                                           No\n                                                                                                                                         Evaluation\n\n        D.2. Do the configuration requirements implemented above in D.1.a-f., address patching of security                          Almost Always, or 96-\n        vulnerabilities?                                                                                                   Yes      100% of the time\n\nComments:\n\n\n\n\n                                                                            7 of 10\n\x0c                                                                                  NRC Report to OMB\n\n\nSection E: Incident Detection and Handling Procedures\nNOTE: ALL of Section E should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   E.1. Evaluate the degree to which the following statements reflect the status at your agency. If appropriate or necessary, include comments in the Comment area provided\n   below.\n\n                                                                                           E.1\n\n                                                            Statement                                                                                      Evaluation\n\n                 a. The agency follows documented policies and procedures for reporting incidents internally.                               Almost Always, or 96-100% of the time\n\n                 b. The agency follows documented policies and procedures for external reporting to law enforcement\n                                                                                                                                            Almost Always, or 96-100% of the time\n                 authorities.\n                 c. The agency follows defined procedures for reporting to the United States Computer Emergency Readiness\n                                                                                                                                            Almost Always, or 96-100% of the time\n                 Team (US-CERT). http://www.us-cert.gov\n                                                                                          E.2.\n   E.2. Incident Detection Capabilities.\n                                                                                                                                            Number of         Percentage of\n                                                                                                                                             Systems          Total Systems\n                           a. How many systems underwent vulnerability scans and penetration tests in FY04?                                              14         82%\n                           b. Specifically, what tools, techniques, technologies, etc., does the agency use to mitigate IT security risk?\n                                  Answer:\n                                      Network vulnerability assessment tools, external penetration testing, internal penetration testing scheduled to begin soon. Testing for wireless\n                                      access points. Virus detection software on all mail servers & desktops. Cache flow web proxy device to block active content & block access to\n                                      specific web sites. Intrusion detection system at the perimeter. Firewall, intrusion detection, and web logs reviewed on a daily basis.\n\n\n\n\nComments:\n\n\nNRC conducts vulnerability scans and penetration tests on portions of their network and not on specific individual NRC systems. Some servers supporting NRC systems were\nscanned when their operating systems were upgraded (part of NRC\'s process for putting new servers into production). External penetration testing of NRC\'s network was conducted\nin FY 2004. Two NRC systems, and portions of a third, are not housed at NRC, and were not included in any scanning or penetration testing conducted by NRC.\n\n\n\n\n                                                                                         8 of 10\n\x0c                                                                         NRC Report to OMB\n\nSection F: Incident Reporting and Analysis\nNOTE: ALL of Section F should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n   F.1. For each category of incident listed: identify the total number of successful incidents in FY04, the number of incidents reported to US-CERT, and the number\n   reported to law enforcement. If your agency considers another category of incident type to be high priority, include this information in category VII, "Other". If\n   appropriate or necessary, include comments in the Comment area provided below.\n   F.2. Identify the number of systems affected by each category of incident in FY04. If appropriate or necessary, include comments in the Comment area\n   provided below.\n                                                                             F.1., F.2. & F.3.\n                                                                                    F.1.                                                F.2.\n                                                                      Number of Incidents, by category:              Number of systems affected, by category, on:\n\n\n\n                                                                     F.1.a           F.1.b.          F.1.c.          F.2.a.         F.2.b.             F.2.c.\n                                                                  Reported       Reported to US- Reported to law Systems with Systems without       How many\n                                                                  internally         CERT         enforcement complete and up- complete and up-     successful\n                                                                                                                 to-date C&A     to-date C&A    incidents occurred\n                                                                                                                                                     for known\n                                                                                                                                                 vulnerabilities for\n                                                                                                                                                which a patch was\n                                                                                                                                                     available?\n\n\n                                                                                                                    Number of      Number of       Number of\n                                                                 Number of         Number of       Number of         Systems        Systems         Systems\n                                                                 Incidents         Incidents       Incidents         Affected       Affected        Affected\n     I. Root Compromise                                                      0                 0               0 n/a            n/a            n/a\n     II. User Compromise                                                     0                 0               0 n/a            n/a            n/a\n     III. Denial of Service Attack                                           0                 0               0 n/a            n/a            n/a\n     IV. Website Defacement                                                  0                 0               0 n/a            n/a            n/a\n     V. Detection of Malicious Logic                                     33449             33449               0 n/a            n/a            n/a\n     VI. Successful Virus/worm Introduction                                 93                93               0 n/a            n/a            n/a\n     VII. Other                                                              0                 0               0 n/a            n/a            n/a\n                                                      Totals:            33542             33542               0              0              0                           0\n\nComments:\nNRC\'s reporting of security events changed in December 2003. In the 1st 2 months of FY 2004, NRC reported on 12 types of suspicious activity, and categorized the\nevents based on a 5 level system. Level 1 events are observations, level 2 - warnings, level 3 - alerts, level 4 - damage, and level 5 - exploits. For the purposes of\nreporting successful incidents, only level 3 and higher events would be considered successful. In the 1st 2 months of FY 2004, no level 3 or higher events were\nreported. Starting in December 2003, NRC\'s reports include eight types of events that reflect the eight event types reported in US-CERT statistics. Categories V and\nVI were not tracked in NRC reports for October and November 2003. Detection of malicious logic is considered to be viruses/worms detected at the agency\'s mail\ngateway, and by virus detection software on servers and workstations. Successful virus/worm introduction are those that were not detected, and had to be cleaned.\nOnly workstations (no servers) had any actual "infections."\n\n\n\n\n                                                                                 9 of 10\n\x0c                                                                            NRC Report to OMB\n\n\nSection G: Training\nNOTE: ALL of Section G should be completed by BOTH the Agency CIO and the OIG.\nTo enter data in allowed fields, use password: fisma\n\n   G.1. Has the agency CIO ensured security training and awareness of all employees, including contractors and those employees with significant IT security\n   responsibilities? If appropriate or necessary, include comments in the Comment area provided below.\n                                                                                   G.1.\n    G.1.a.                    G.1.b.                   G.1.c.                     G.1.d.                              G.1.e.                            G.1.f.\n\nTotal number of Employees that received IT        Total number of Employees with significant             Briefly describe training provided         Total costs for\n employees in security awareness training         employees with security responsibilities that                                                      providing IT\n     FY04        in FY04, as described in          significant IT received specialized training,                                                  security training in\n                 NIST Special Publication             security     as described in NIST Special                                                          FY04\n                         800-50                   responsibilities Publications 800-50 and 800-                                                        (in $\'s)\n                                                                                16\n\n\n\n                    Number        Percentage                            Number         Percentage\n\n\n                                                                                                    Security awareness training course required\n     3,468            3,023            87.2%             34                 32             94.1%    for all employees, taken annually. ISSO            $46,300\n                                                                                                    training course.\n                                                                                   G.2.\n                                                                                 Yes or No\n   a. Does the agency explain policies regarding peer-to-peer\n   file sharing in IT security awareness training, ethics training,                Yes\n   or any other agency wide training?\n                                                                      Yes            No\nComments:\nTotal number of employees as of September 21, 2004. The number of employees includes NRC employees and contractors with LAN accounts vs. all\nemployees at NRC. Only employees and contractors with LAN accounts are required to take awareness training.\n\n\n\n\n                                                                                  10 of 10\n\x0c'